GNOME Remote Desktop "Network or Intentional disconnect" log every second

Fedora Server 40, SELinux is in Permissive mode, latest updates.

Every 1-3 seconds, my system journal gets this log:

Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:560] [95687:00017683] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:560] [95687:00017683] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:560] [95687:00017683] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:560] [95687:00017683] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:561] [95687:00017683] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Aug 21 23:51:52 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:52:561] [95687:00017683] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Aug 21 23:51:52 fedora-remote gnome-remote-de[95687]: [RDP] Network or intentional disconnect, stopping session
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:312] [95687:00017779] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:312] [95687:00017779] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:312] [95687:00017779] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:312] [95687:00017779] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:312] [95687:00017779] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Aug 21 23:51:54 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:54:313] [95687:00017779] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Aug 21 23:51:54 fedora-remote gnome-remote-de[95687]: [RDP] Network or intentional disconnect, stopping session
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:015] [95687:0001777d] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:015] [95687:0001777d] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:015] [95687:0001777d] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:015] [95687:0001777d] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:016] [95687:0001777d] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Aug 21 23:51:55 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:55:016] [95687:0001777d] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
Aug 21 23:51:55 fedora-remote gnome-remote-de[95687]: [RDP] Network or intentional disconnect, stopping session
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:733] [95687:00017781] [ERROR][com.winpr.sspi.NTLM] - [ntlm_fetch_ntlm_v2_hash]: Error: Could not find user in SAM database
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:734] [95687:00017781] [WARN][com.winpr.sspi] - [winpr_AcceptSecurityContext]: AcceptSecurityContext status SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:734] [95687:00017781] [ERROR][com.freerdp.core.auth] - [credssp_auth_authenticate]: AcceptSecurityContext failed with SEC_E_INTERNAL_ERROR [0x80090304]
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:734] [95687:00017781] [ERROR][com.freerdp.core.transport] - [transport_accept_nla]: client authentication failure
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:734] [95687:00017781] [ERROR][com.freerdp.core.peer] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail
Aug 21 23:51:57 fedora-remote gnome-remote-desktop-daemon[95687]: [23:51:57:734] [95687:00017781] [ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]

I’m not trying to login via RDP and no one else is either (that I know of). What does this log mean and why does it happen so regularly?

Edit: I noticed when running grdctl --status I get:

[00:19:25:540] [101578:00018cca] [ERROR][com.freerdp.crypto] - [x509_utils_from_pem]: BIO_new failed for certificate
RDP server certificate is invalid.

Which is strange because I can still connect right now.

That log appears to indicate someone is attempting to connect via rdp.
Check your firewall and possibly consider disabling rdp to avoid unwanted intrusions. The error indicates a user that is not authorized.

It seems to indicate your system may be accessible remotely and thus is easily attacked.

Having selinux in permissive mode makes it more easily penetrated.

1 Like

Unfortunately Fedora doesn’t ship an SELinux policy that works with GRD, so it needs to be disabled.

Thanks, that was my impression too… do you know if there’s a way to get the IP address of these users attempting to RDP in?

RDP is the main purpose of this server, so I can’t disable it. I’ll need to think about how best to limit access attempts…

Although tedious it may be possible to do so with the use of the tcpdump command with the output redirected to a file. After a short time while those events are being logged stop the dump and review the log.

Tcpdump logs the details of every packet both received and sent so it will quickly become a very large file if left running for an extended time.

The timing (1 - 3 seconds) seems to indicate it may be a script that is trying repeatedly with a list of user names until it finds one that works.

Thanks so much!

I ran tcpdump -i any port 3389 and indeed, it’s a single IP address hammering the server.

That helps me figure out what I need to do from here.

One possibility would be to create a firewall rule that blocks that IP from that port. It wont stop the attempts but will prevent interacting with RDP and the logs will stop. The attempts would be logged in the firewall log instead as a drop and the remote user would see no responses.

What I ended up doing was completely blocking the port from the internet so GRD only runs locally, then creating an SSH tunnel and RDPing at localhost. This seems to work well and was rather easy to do :slight_smile:

Judging from the fact that I can now access the RDP reliably…yes, I think the network congestion lead to GRD being completely inaccessible most of the time. My other symptoms all point toward that. Now GRD only gets called if someone manages to authenticate through SSH, so that should cut down on the network congestion massively.

I would guess that the spamming of attempts to connect from that IP and the need for rdp to respond to each attempt was the cause, not necessarily network congestion but rather more of a Denial Of Service (DOS) effect as it overloaded the rdp server.

2 Likes

I’ll keep an eye on it over the next few days but this seems like the most likely scenario to me!

Thanks for all your help.

1 Like