RDP TLS cert monitoring
Hi,
How do I have Xymon monitor the TLS cert used by RDP?
I can easily get the cert using the following commands:
openssl s_client -connect <IP>:3389 < /dev/null |& openssl x509 -noout -startdate -enddate
I'd like to apply the same type of logic to RDP that the HTTPS tests use for certificate expiration warning / critical.
I skimmed the hosts.cfg manual and didn't find a way to monitor TLS for arbitrary ports.
I also don't think that the static [rdp] entry in protocols.cfg can be extended to monitor dynamic TLS information.
Any guidance would be appreciated.
-- Grant. . . . unix || die
You could create a simple external script that monitors this. Has it become an issue with RDP not renewing the certificate before it expires?
Tom
On Wed, Sep 25, 2024 at 3:22 PM Grant Taylor via Xymon <xymon@xymon.com> wrote:
Hi,
How do I have Xymon monitor the TLS cert used by RDP?
I can easily get the cert using the following commands:
openssl s_client -connect <IP>:3389 < /dev/null |& openssl x509-noout -startdate -enddate
I'd like to apply the same type of logic to RDP that the HTTPS tests use for certificate expiration warning / critical.
I skimmed the hosts.cfg manual and didn't find a way to monitor TLS for arbitrary ports.
I also don't think that the static [rdp] entry in protocols.cfg can be extended to monitor dynamic TLS information.
Any guidance would be appreciated.
-- Grant. . . . unix || die
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
Hi Tom,
On 9/25/24 5:16 PM, Tom Schmidt wrote:
You could create a simple external script that monitors this. Has it become an issue with RDP not renewing the certificate before it expires? It seems as if the certificate is renewed as the Remote Desktop Service (re)starts. At least when the certificate has expired. I don't know the exact criteria.
The RDS service doesn't restart on a system that's been up for longer than the certificate's lifetime. ;-)
-- Grant. . . . unix || die
Grant
I'd be surprised if you couldn't use https://<IP>:3389/ and get some kind of useful result.
You can use the "ssl" keyword in protocols.cfg and that checks the certificate. Something like this:
[rdps] port 3389 options ssl send "QUIT\r\n"
The "send" line is not necessary, but it lets the RDP endpoint close the session, and might avoid error logs being added to the event logs.
J
On Thu, 26 Sept 2024 at 07:22, Grant Taylor via Xymon <xymon@xymon.com> wrote:
Hi,
How do I have Xymon monitor the TLS cert used by RDP?
I can easily get the cert using the following commands:
openssl s_client -connect <IP>:3389 < /dev/null |& openssl x509-noout -startdate -enddate
I'd like to apply the same type of logic to RDP that the HTTPS tests use for certificate expiration warning / critical.
I skimmed the hosts.cfg manual and didn't find a way to monitor TLS for arbitrary ports.
I also don't think that the static [rdp] entry in protocols.cfg can be extended to monitor dynamic TLS information.
Any guidance would be appreciated.
-- Grant. . . . unix || die
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
Hi J,
On 9/25/24 8:26 PM, Jeremy Laidman wrote:
I'd be surprised if you couldn't use https://<IP>:3389/ and get some kind of useful result.
I'll check that out.
You can use the "ssl" keyword in protocols.cfg and that checks the certificate. Something like this:
[rdps] port 3389 options ssl send "QUIT\r\n"
I'll check that out too.
The "send" line is not necessary, but it lets the RDP endpoint close the session, and might avoid error logs being added to the event logs.
ACK
Thank you J, you've given me some things to check to monitor the TLS cert on servers that aren't restarted often enough for the built-in renew function to happen.
-- Grant. . . . unix || die
On 9/25/24 8:26 PM, Jeremy Laidman wrote:
I'd be surprised if you couldn't use https://<IP>:3389/ and get some kind of useful result.
I can get useful information with the following OpenSSL commands:
openssl s_client -connect <IP>:3389 0</dev/null 2>/dev/null | openssl x509 -noout -subject -startdate -enddate
You can use the "ssl" keyword in protocols.cfg and that checks the certificate. Something like this:
[rdps] port 3389 options ssl send "QUIT\r\n"
The "send" line is not necessary, but it lets the RDP endpoint close the session, and might avoid error logs being added to the event logs.
Your rdps protocol idea worked out PERFECTLY!
Xymon showed that the system I found the expired cert on was good. But as soon as I asked it to monitor an additional host, it found that the additional hosts's TLS cert expired 47 days ago. <facePALM>
Sorry for the delay getting back to this thread.
-- Grant. . . . unix || die
participants (3)
-
Grant Taylor
-
Jeremy Laidman
-
Tom Schmidt