xrdp is terminated when 3389 connection is deny
Article ID: 205280
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
Issue/Introduction
xrdp service is terminated when the port 3389 connection is denied by PIM rule.
check xrdp status:
# service xrdp status
xrdp (pid 13780) is running...
xrdp-sesman (pid 13785) is running...
# ps -ef | grep xrdp | grep -v grep
root 13780 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp
root 13785 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp-sesman
xrdp (pid 13780) is running...
xrdp-sesman (pid 13785) is running...
# ps -ef | grep xrdp | grep -v grep
root 13780 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp
root 13785 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp-sesman
create rule
AC> so class+(TCP)
AC> er tcp 3389 audit(a) defacc(r) owner(nobody)
AC> er host <windows host>
AC> auth tcp 3389 acc(n) host(<windows host>)
AC> er tcp 3389 audit(a) defacc(r) owner(nobody)
AC> er host <windows host>
AC> auth tcp 3389 acc(n) host(<windows host>)
start mstsc.exe on <windows host> and try to connect via RDP.
-> it will be denied. this is expected.
-> it will be denied. this is expected.
audit log:
06 Nov 2020 14:07:31 D TCP ms-wbt-server 404 3 10.230.57.198 /usr/sbin/xrdp
06 Nov 2020 14:07:31 D TCP ms-wbt-server 404 3 10.230.57.198 /usr/sbin/xrdp
check xrdp status again:
# service xrdp status
xrdp dead but subsys locked
xrdp-sesman (pid 13785) is running...
# ps -ef | grep xrdp | grep -v grep
root 13785 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp-sesman
xrdp dead but subsys locked
xrdp-sesman (pid 13785) is running...
# ps -ef | grep xrdp | grep -v grep
root 13785 1 0 13:56 pts/1 00:00:00 /usr/sbin/xrdp-sesman
After denying TCP 3389 by PIM, xrdp service is terminated.
Environment
Release : 12.8 SP1
Component : CA ControlMinder - Unix
Resolution
This is not a defect in PIM.
PIM has worked correctly in denying the connection.
The problem is in how xrdp handles an aborted connection.
If this needs to be resolved, it has to be done in xrdp.
Feedback
Yes
No
Powered by
