🛡️ Protecting xrdp with Fail2ban on Debian 12

Date Created: 2025-03-29 By: 16BitMiker [ BACK.. ]

🌟 Introduction

Remote Desktop Protocol (RDP) servers are prime targets for attackers performing brute force attempts against exposed services. If you're running an xrdp server on your Debian 12 system, implementing proper security measures is essential. Fail2ban provides an elegant solution by automatically identifying and blocking IP addresses that exhibit suspicious behavior like multiple failed login attempts.

This guide walks you through the complete process of configuring fail2ban to protect your xrdp installation, explaining both the how and why of each step.

📋 Prerequisites

Before we begin, ensure you have:

Debian 12 (Bookworm) installed with sudo access
xrdp installed and running
fail2ban installed

If fail2ban isn't already installed on your system, you can easily install it with:


sudo apt update
sudo apt install fail2ban

📊 Step 1: Understanding xrdp Logging

To effectively configure fail2ban, we first need to understand how xrdp logs authentication failures. This is crucial because fail2ban works by parsing log files to identify patterns indicating attack attempts.

On Debian 12, xrdp logs information in two primary locations:

📁 Log files (typically in /var/log/)
🔄 The systemd journal

After analyzing the logs, we've determined that authentication failures are recorded in the systemd journal with messages in this format:


xxxxxxxxxx
[INFO ] AUTHFAIL: user=username ip=192.168.1.100 time=1742402495

This distinct message pattern is what we'll use to identify failed login attempts.

🔍 Step 2: Creating a Custom Filter for xrdp

Fail2ban uses "filters" (regex patterns) to scan logs and identify failed login attempts. Since xrdp isn't included in fail2ban's default filters, we'll create a custom one:


xxxxxxxxxx
sudo vim /etc/fail2ban/filter.d/xrdp.conf

Add the following content to the file:


x
[Definition]
# This regex matches the AUTHFAIL message format from xrdp's logs
# The <HOST> tag is a special placeholder that fail2ban recognizes as the IP to ban
failregex = AUTHFAIL: user=\S+ ip=<HOST> time=\d+

# We don't need to ignore any patterns for this filter
ignoreregex =

This filter uses a regular expression to match the "AUTHFAIL" message pattern. The <HOST> tag is special—it tells fail2ban which part of the log message contains the IP address to ban.

🧪 Step 3: Testing the Filter

Before implementing the filter in a live environment, it's prudent to verify that it correctly identifies failed login attempts:


xxxxxxxxxx
sudo fail2ban-regex "$(sudo journalctl -u xrdp-sesman.service -n 1000)" /etc/fail2ban/filter.d/xrdp.conf

This command:

Retrieves the last 1000 log entries from the xrdp-sesman service
Tests our filter against these log entries
Shows us how many matches were found

You should see output indicating that the filter successfully matched authentication failure messages. If no matches appear, you may need to generate some failed login attempts for testing purposes.

🔒 Step 4: Creating the Jail Configuration

In fail2ban terminology, a "jail" defines what to monitor and what actions to take when suspicious activity is detected. Let's create a jail specifically for xrdp:


xxxxxxxxxx
sudo vim /etc/fail2ban/jail.local

If this file doesn't exist yet, create it. Add the following section:


xxxxxxxxxx
[xrdp]
enabled = true           # Activates this jail
port = 3389              # The default RDP port to block
filter = xrdp            # Uses our custom filter created earlier
backend = systemd        # Reads logs from the systemd journal
journalmatch = _SYSTEMD_UNIT=xrdp-sesman.service  # Only match logs from this specific service
maxretry = 5             # Ban after 5 failed attempts
bantime = 86400          # Ban duration in seconds (24 hours)
findtime = 3600          # Time window in seconds (1 hour) to count failed attempts

This configuration tells fail2ban to:

Monitor the xrdp-sesman service logs
Look for patterns matching our custom filter
Ban IPs that have 5 or more failed logins within a 1-hour period
Apply the ban for 24 hours

The values for maxretry, bantime, and findtime can be adjusted based on your security requirements and typical usage patterns.

🚀 Step 5: Starting fail2ban

Apply your configuration by restarting the fail2ban service:


xxxxxxxxxx
sudo systemctl restart fail2ban

This reload incorporates your new jail configuration and activates the protection for your xrdp server.

✅ Step 6: Verifying the Configuration

To ensure everything is working correctly, check that your jail is active:


xxxxxxxxxx
sudo fail2ban-client status

This should list "xrdp" among the active jails. For more detailed information about the xrdp jail:


xxxxxxxxxx
sudo fail2ban-client status xrdp

You should see output similar to:


xxxxxxxxxx
Status for the jail: xrdp
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- Journal matches: _SYSTEMD_UNIT=xrdp-sesman.service
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

This confirms that the jail is properly configured and actively monitoring for failed login attempts.

🧮 Step 7: Testing the Complete Setup

To verify your setup works correctly in practice, generate some failed login attempts:

🖥️ Use an RDP client (like Remmina, FreeRDP, or Windows Remote Desktop) to attempt to connect to your server
🔑 Enter an incorrect username or password multiple times (more than the maxretry value)
🔍 Check if the IP is banned:


xxxxxxxxxx
sudo fail2ban-client status xrdp

After exceeding the maximum retry count, you should see your IP in the "Banned IP list," confirming that fail2ban is successfully identifying and blocking suspicious activity.

👀 Step 8: Monitoring and Maintenance

📋 Viewing Banned IPs

To see all currently banned IPs across all jails:


xxxxxxxxxx
sudo fail2ban-client banned

🔓 Unbanning an IP

If you need to unban an IP address (perhaps you locked yourself out during testing):


xxxxxxxxxx
sudo fail2ban-client set xrdp unbanip 192.168.1.100

Replace 192.168.1.100 with the actual IP you want to unban.

📊 Monitoring Logs

To monitor fail2ban's activity in real-time:


xxxxxxxxxx
sudo tail -f /var/log/fail2ban.log

This shows you all fail2ban actions as they occur, including when IPs are banned or unbanned.

🔧 Advanced Configuration Options

🛠️ Customizing Ban Actions

By default, fail2ban uses iptables to ban IPs. You can customize this by setting the banaction parameter in your jail configuration:


xxxxxxxxxx
banaction = iptables-multiport

Other options include iptables-allports (to block all ports, not just RDP) or nftables-multiport if you're using nftables instead.

📧 Email Notifications

To receive email notifications when an IP is banned:


xxxxxxxxxx
action = %(action_mwl)s

This requires a properly configured mail service on your server. The notification includes details about the ban, including which jail triggered it and the offending IP address.

⭐ Whitelisting IPs

To prevent certain IPs from being banned (useful for internal networks or trusted addresses), create a file called /etc/fail2ban/jail.d/ip-whitelist.conf:


xxxxxxxxxx
[DEFAULT]
# This applies the whitelist to all jails
# The list includes localhost and a trusted internal subnet
ignoreip = 127.0.0.1/8 192.168.1.0/24

This example whitelists localhost and the entire 192.168.1.x subnet, ensuring they won't be banned even if they exceed the retry limit.

🔎 Troubleshooting

🚫 No Failed Attempts Detected

If fail2ban isn't detecting failed login attempts:

Verify xrdp is logging correctly:


xxxxxxxxxx
sudo journalctl -u xrdp-sesman.service | grep -i "fail\|error\|auth"

Check if your filter matches the log format:


xxxxxxxxxx
sudo fail2ban-regex "$(sudo journalctl -u xrdp-sesman.service -n 100)" /etc/fail2ban/filter.d/xrdp.conf

Make sure the jail is enabled:


xxxxxxxxxx
sudo fail2ban-client status | grep xrdp

🚫 IPs Not Being Banned

If IPs are being detected but not banned:

Check fail2ban's log for errors:


xxxxxxxxxx
sudo grep xrdp /var/log/fail2ban.log

Verify iptables is working:
```
xxxxxxxxxx
sudo iptables -L
```
This displays the current firewall rules, allowing you to confirm whether fail2ban's rules are being properly applied.

🔐 Additional Security Considerations

While fail2ban provides excellent protection against brute force attacks, it should be part of a broader security strategy:

🔑 Use strong passwords: Enforce complex passwords for all users with remote access
🔐 Enable 2FA: Consider setting up two-factor authentication for xrdp sessions
🛡️ Restrict access: Use a VPN or IP whitelisting to limit who can connect to your xrdp server
🔄 Regular updates: Keep your system and xrdp software up to date with security patches
👥 Limit user permissions: Ensure xrdp users have only the permissions they need

Remember that defense in depth is key to robust security. Fail2ban is one layer, but combining multiple strategies provides the strongest protection.

🏁 Conclusion

You've successfully configured fail2ban to protect your xrdp server from brute force attacks. This setup automatically bans IP addresses that make too many failed login attempts, significantly improving your server's security posture without requiring constant manual monitoring.

Remember to periodically check the fail2ban logs and banned IP list to monitor for attack attempts. You may need to adjust the maxretry, findtime, and bantime parameters based on your specific security requirements and the volume of legitimate login attempts.

By implementing this protection, you've taken an important step toward securing your remote desktop environment on Debian 12.