/var/log/xrdp.log has no failed login such as ssh failed log.

[MikoyChinese]

Hi,

Now I am using xrdp in public network for desktop remote. But for security, I need to know who try to login my xrdp and to forbiden it. Now I am using fail2ban to ban these ip; But when I check the xrdp log in /var/log/xrdp.log, it just looks like this:

[20210719-14:17:51] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:80.66.76.27 port 33250
[20210719-14:17:51] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20210719-14:17:51] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20210719-14:17:51] [ERROR] SSL_accept: I/O error
[20210719-14:17:51] [ERROR] trans_set_tls_mode: ssl_tls_accept failed
[20210719-14:17:51] [ERROR] xrdp_sec_incoming: trans_set_tls_mode failed
[20210719-14:17:51] [ERROR] xrdp_rdp_incoming: xrdp_sec_incoming failed
[20210719-14:17:51] [ERROR] xrdp_process_main_loop: libxrdp_process_incoming failed
[20210719-14:17:51] [ERROR] SSL_shutdown: Failure in SSL library (protocol error?)

It's so complex to check if this ip failed to login for what reason.

Here is ssh login log:

Failed password for invalid user backups from 176.111.173.156 port 9292 ssh2

Can I obtain the failed log in my xrdp?

[matt335672]

The xrdp process doesn't handle authentication - it's handled by the sesman process.

Failed logins are not currently logged - it's a known problem (#1724). You will get some information out of /var/log/auth.log but that won't log anything for unknown users.

I'll bump the priority up a bit.