add the ability to audit login failures/successes for logging in to the web interface
add the ability to audit login failures/successes for logging in to the web interface
Welcome to our community!
Duplicates 4
Notification on failed and successful logins
Log site logins with notification capabilities
From CW#7590390:
Would like to be able to audit when users login to ScreenConnect instance, including failures. Would also like to be able to receive email notifications when failed login attempts occur on site.
Audit logs of when someone logs on (successfully or failure) into the web interface?
Hello
When someone logs on to the web interface, Id like to log it and send it to a syslog ( more specifically Elastic Stack ) to not only keep logs but to meet certain compliance requirements.
We have ScreenConnect ( or ConnectWise ) installed on Windows on prem.
Where are these audit logs located?
Thank you
log user login history
Please add this feature that can log user login history for audit and investigation.
Replies 78
justin, the solution needs to be something that is native to the platform and supportable by the vendor themselves. Use of 3rd party apps and a configuration that is not supported by The vendor puts you in a position where you can be out of compliance if the modification breaks and doesn’t work.
Agreed, but this is better then nothing, and it does exactly what I want. Only thing is, editing Login.aspx after upgrading. I can live with that. I had issues with LetsEncrypt and my screenconnect installation..and ended up doing something different to make that work.
Only thing left to do, tell fail2ban to email me for successful logins... which is easy. But would be cooler if you guys could share some code to do that in Login.aspx. =)
Agreed, but this is better then nothing, and it does exactly what I want. Only thing is, editing Login.aspx after upgrading. I can live with that. I had issues with LetsEncrypt and my screenconnect installation..and ended up doing something different to make that work.
Only thing left to do, tell fail2ban to email me for successful logins... which is easy. But would be cooler if you guys could share some code to do that in Login.aspx. =)
I’ve been curious to know how much a web application firewall could benefit. Something like a fortinet WAF. Using fortiguards reputation database to proactively block stuff based on IP reputation or the AI behavior based learning. problem is a WAF gets expensive.
It’s also probably not super easy to build anything into the Product either
some people might be able to use a SIEM to look for logon failures or something and create an automation to add offending IP’s of consecutive logon failures into their firewall rule block list or something but still nothing is gonna be as good as an actual block list within the software itself and visibility into logon attempts whether they’re successful or not
Bam! Login.aspx email without fail2ban. Looked at the reset password function in Login.aspx. Seems to work okay.
if (result == LoginResult.Success)
{
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d H:mm:ss") + " screenconnect(" + Dns.GetHostName() +"): Authentication successful from " + GetIPAddress() + Environment.NewLine);
this.errorLabel.Text = null;
if (userName.IsNullOrEmpty())
throw new InvalidOperationException(WebResources.GetString("LoginPanel.InvalidUserNameText"));
var threadState = new
{
User = MembershipWebAuthenticationProvider.GetEnabledMembershipProviders()
.Where(_ => _ is IMembershipWithoutOldPasswordProvider)
.Select(_ => _.GetUser(userName))
.FirstOrDefault(),
Url = this.Context.Request.GetRealUrl(),
this.Context.Request.UserHostAddress,
this.Context.Request.UserAgent
};
if (threadState.User != null && !threadState.User.Email.IsNullOrEmpty())
System.Threading.ThreadPool.QueueUserWorkItem(delegate
{
Extensions.Try(() => MailSender.Instance.SendMail(
threadState.User.Email,
"Successful Login",
"Successful Login",
Extensions.TryParseBool(WebResources.GetString("ResetPasswordEmailIsBodyHtml"))
));
});
this.Response.Redirect(this.Context.GetValidReturnUrlOrDefault());
}
I’ve been curious to know how much a web application firewall could benefit. Something like a fortinet WAF. Using fortiguards reputation database to proactively block stuff based on IP reputation or the AI behavior based learning. problem is a WAF gets expensive.
It’s also probably not super easy to build anything into the Product either
some people might be able to use a SIEM to look for logon failures or something and create an automation to add offending IP’s of consecutive logon failures into their firewall rule block list or something but still nothing is gonna be as good as an actual block list within the software itself and visibility into logon attempts whether they’re successful or not
Yeah... I just want the list of IP addresses that try to bang on the login... just to know. Never know what you could find. It would be cool to have a dangerous list of ip addresses to add to the list... I think pfSense does this..... Not sure.
This works better.. kinda dirty but works.
if (result == LoginResult.Success)
{
File.AppendAllText(@"/var/log/screenconnect", DateTime.Now.ToString("MMM d H:mm:ss") + " screenconnect(" + Dns.GetHostName() +"): Authentication successful from " + GetIPAddress() + Environment.NewLine);
File.WriteAllText(@"/tmp/temp", GetIPAddress());
this.errorLabel.Text = null;
if (userName.IsNullOrEmpty())
throw new InvalidOperationException(WebResources.GetString("LoginPanel.InvalidUserNameText"));
var threadState = new
{
User = MembershipWebAuthenticationProvider.GetEnabledMembershipProviders()
.Where(_ => _ is IMembershipWithoutOldPasswordProvider)
.Select(_ => _.GetUser(userName))
.FirstOrDefault(),
Url = this.Context.Request.GetRealUrl(),
this.Context.Request.UserHostAddress,
this.Context.Request.UserAgent
};
if (threadState.User != null && !threadState.User.Email.IsNullOrEmpty())
System.Threading.ThreadPool.QueueUserWorkItem(delegate
{
string ipAddress = File.ReadAllText(@"/tmp/temp");
Extensions.Try(() => MailSender.Instance.SendMail(
threadState.User.Email,
"Successful Login from: " + ipAddress,
"Successful Login from: " + ipAddress,
Extensions.TryParseBool(WebResources.GetString("ResetPasswordEmailIsBodyHtml"))
));
});
this.Response.Redirect(this.Context.GetValidReturnUrlOrDefault());
}
...4 year old thread about a glaring compliance hole in the product, and posts to workarounds that could have been integrated years ago...good thing we have https://www.connectwise.com/software/control/remote-support/security "World Class Security" on our side.
...4 year old thread about a glaring compliance hole in the product, and posts to workarounds that could have been integrated years ago...good thing we have https://www.connectwise.com/software/control/remote-support/security "World Class Security" on our side.
You catch more flies with honey than vinegar or, sometimes you catch more flies with honey. Usually....
David,
I like how the page you linked still mentions the more secure self-hosted product, and server-level auditing!
Also bumping this - as it will be required for Australian SOC and ISO compliance.
Partner stated that he would like a email notification when there is a successful or failed login