Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

What Causes entry into log

Post Reply
bcrown
Posts: 4
Joined: 2016-08-31 14:21

What Causes entry into log

Post by bcrown »

I am getting thousands of entries in the log files with "invalid attempt from client xx". I usually see these but as I have the properties set to reject or accept connections, I also see the corresponding request pop up.

I know these are from some group (coming from lots of different ip addresses) trying to poke around the machine but am curious what would trigger an event to log as an invalid attempt in the log but not cause the pop up to accept or reject to come up on the screen.

These attacks usually last for a few days and are non stop with attempts from any where from 5 to 100 logged attempts per minute.

Also, I have not seen but may have missed, is there any way to auto block users either via a blacklist or number of attempted tries in a defined period of time?

Thanks
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: What Causes entry into log

Post by Rudi De Vos »

to log as an invalid attempt in the log but not cause the pop up to accept or reject to come up on the screen
Accept/Reject is after the login. If the login fail -> no popup. It's a second security.

Ip addresses are blocked (black listed) if to many attemps are made, but this doesn't help if the attacker use multiple ip addresses.
bcrown
Posts: 4
Joined: 2016-08-31 14:21

Re: What Causes entry into log

Post by bcrown »

Thanks Rudi,

So basically they are just poking around looking for holes and not trying to use a brute force attack on the login?

If the program automatically blacklists ip addresses, is there a way to view the blacklisted ip's and /or add to the list manually? How long does the blacklist keep an ip, I do not see any switches in the properties pages?

Thanks,
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: What Causes entry into log

Post by Rudi De Vos »

It could be a brute force attack, but when you set accept/reject with default to refuse even when they are able to find the password the manual approval is locking them out.

Why don't you use the plugin with a long password ? Then all is encrypted and a long password it's impossible to guess.

The blacklist works like this.
After 3 wrong passwords -> lock for x seconds
Each next wrong anwser the time is increased.
The list is in memory and get reset when the server restart.
Post Reply