Open source bastion Machine RDP window name and word recognition function------------Kylin Open source Fortress machine technology identification

In addition to recording, the open-source fortress machine also needs to do the operation identification, the main operation recognition function includes:

Ssh/telnet Operation command Recognition

FTP/SFTP Operation command Recognition

rdp/vnc/x11 Open Window title recognition

text recognition in the rdp/vnc/x11 window

RDP cut content recognition

rdp/vnc/x11 Keyboard Record

For an open source bastion machine that can only be recorded, its usability is very poor, because the audit function of the open source Fortress machine is mainly used in hindsight, if an internal operational incident occurs, and the time point is difficult to determine, the auditor must face a large amount of logs to identify, from the person to each session from beginning to end to see the entire operation video. And the operation of the process is often an instant thing, such as a few days of operation Log may have thousands of hours, but the operation of the problem may be only a few seconds, then the intensity of labor and the degree of boredom is quite large, a person from the thousands of hours to find a few seconds of the recording phase of a problem, the difficulty can be imagined.

We have also been the issue of a telecommunications background database was deleted, then our system RDP recognition has not been done, so we sent someone to read the log for seven days, and finally found the responsible person.

Therefore, an open-source fortress machine is good or bad, not just the interface is not beautiful, the log report is not universal, the most important criterion is that the analysis function is not well, if one but the analysis to do in place, when there is a problem, can greatly reduce the accuracy of the auditor, directly find the responsible person.

the operation recognition function of the open-source fortress machine, FTP/SFTP Command Operation Development is the simplest, because the command itself in the Protocol has the standard, development, as long as the release of Ftp/sftp protocol flow, can be directly obtained.

  Telnet/ssh command recognition is a more difficult function because telnet/ssh for the command in the protocol is not labeled, and on the screen other echoes, are a one character, in real development, very easy to find in the actual echo which is the command, which is echo, while the keylogger, command recognition can only be helpful, and can not be logged to the command through the keylogger, because when hitting the keyboard, the user may be in the vi Linux bash TAB fill in, in addition, operators in the input command, the use of backspace to modify, etc. will also cause the command recognition can not be achieved through the keylogger, Telnet/ssh command recognition, can only be identified by the keyboard and Echo correlation, the program in determining the user's keyboard hit order, while judging the echo character, when the carriage return, Record all the previous keyboards, and in the echo to make some judgments, you can accurately record the user operation of the command, this mode, the agent must also determine whether the user is not in the vi telnet/ssh command identification development cycle is approximately 2 months, later made a lot of changes, the current command recognition rate reached the 99.9%

Rdp/x11/vnc 's window title Recognition and window inner text recognition can be said to be an industry puzzle because the RDP entire display has no characters and is completely plotted through GDI functions, so even if the RDP Stream, and can not get any text from the stream , because all the GDI functions plotted graphics, Kirin open source Fortress rdp/x11/vnc window identification development cycle of about 4 months, it is now possible to identify the window title and the internal operating text.

in addition, RDP Keylogger, cut-off records can also be recognized in the protocol, keylogger comparison keyboard, untie the RDP protocol can be more complicated by the cut version, because of the internal text encoding identification.

The principles of these identification techniques will be described in detail later in other articles.

Open source bastion Machine RDP window name and word recognition function------------Kylin Open source Fortress machine technology identification