Hi, > > Are you sure this is in fact the one connection you are closing? > > I don't see what else it could be, certainly nothing legitimate. The > only access to the box was me testing xrdp, running a tail -f > alongside.
OK. > > > Is the system connected to the internet (and reachable from there on the > > RDP port)? > > Yes, it's connected to the internet, no it's not reachable from > outside the LAN (on any port). Can you please double-check that? Please also grep in your log files and in /etc for this IP address. Does it also show up anywhere else? > > > Removing the security tag as I do not see how IP based connections from > > somewhere to your host could be a security bug in xrdp. > > Well, either xrdp is "phoning home" (worrying, but unlikely) or the > displayed IP address is bogus (parsing error, an off pointer ...) -- > both are potentially security relevant. I doubt either. The first because what you see is a *client* address connecting to xrdp on your host - so even *if* it were a reaction to some phoning home, it would still involve your system being reachable from the internet, which you deny; the second because the IP address is taken directly from the socket structur, so if there were a bug, it would be in libc and this would not be the only reference to it ;). If the address shows aup nowhere else and you are absolutely positive it cannot be background noise from the internet, then we will have to wait for someone else hitting this bug, or collect more information, e.g. do a tcpdump on your system while it occurs (speaking of that - can you actually reproduce the issue?). Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
signature.asc
Description: This is a digitally signed message part.