With ExpertAssist’s IP Address Lockout feature you can detect and temporarily lock out potential intruders.
This security precaution allows you to configure two specific types of filter. These are called the Denial of Service Filter and the Authentication Attack Filter. The first is a precaution against unwanted intruders who slow your remote machine to a halt by continuously requesting the same service. The second locks out those who persistently try to get past your log-in screen without authorization.
The configuration for each is identical, although the default values differ due to the differences in the kind of attack they are designed to prevent.
By ticking this checkbox you will enable this feature. This can be useful if your server is exposed to the Internet. IP Lockout will prevent people from gaining access to the administrator username and password using brute-force methods, or from tying up your services through relentless requests.
Specify the number of login attempts before a lockout occurs.
After the amount of time specified in this box elapses, the invalid attempt count of the offending IP address will be reset to zero.
If there were a number of bad login attempts from the same IP address, as specified in the second field, within the time period specified in the reset count field, all attempted connections from the offending IP address will be rejected for the amount of time given here.
With ExpertAssist’s IP address filtering feature you can specify exactly which computers are allowed to access ExpertAssist on your system.
The simple interface on the Security > IP Filtering page lets you maintain IP address restrictions.
If the Profiles list is empty, then filtering is disabled.
How IP Filtering works
When an IP address is checked against a list, ExpertAssist goes from the first element of the list to the last, comparing the IP address against the item. If the item is a single IP address, it only matches the remote IP if they are equal. If the item is an IP address with a subnet mask, a logical AND operation is performed on the subnet mask and the remote IP address, and the result is checked against the item’s network address to see if the remote IP address is in fact on the network. If the item is a wildcard, the remote IP address is converted to its dotted textual representation and the two strings are compared.
When a match is found, ExpertAssist checks if it should allow or deny the connection, based on the allow/deny flag belonging to it. This result is then used to decide whether to let the connection proceed.
If no match is found, then the connection is allowed. If you would like all connections to be denied by default, except for those in the list, enter a DENY:* line as the last item on the list.
It is not possible for you to lock yourself out by accident when setting up IP address restrictions from afar, i.e. you can't enter a DENY:* clause into an empty list.
To add an IP Filtering:
The Address and Subnet fields let you specify a new filtering item. You can enter the following:
The Allow and Deny options in the Type drop-down list let you specify whether you want to allow or deny access to the IP address or addresses entered.
Whenever a new connection is established to ExpertAssist, the remote IP address is checked against the filter or filters in the list, and access is granted or denied accordingly. The IP filters that you set up here apply to every connection received by ExpertAssist, except for those aimed at the Virtual FTP Server. To specify IP address restrictions specific to this module you will need to use its specific IP filtering options.
Allow connections from IP address 126.96.36.199 and the network 192.168.0.0/16, and deny all other connections:
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
Allow connections from IP address 188.8.131.52 and the network 192.168.0.0/16, but not from the address 192.168.0.12, and deny everything else:
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
Please note that denying the connection from 192.168.0.12 comes before allowing connections to the 192.168.0.0/16 network. This is because if ExpertAssist was to find the ALLOW item first, it would let IP address 192.168.0.12 through, since it matches the condition. To prevent this, we make sure that the address 192.168.0.12 is checked before the network to which it belongs.
Allow all connections, except those coming from 192.168.0.12:
Deny all connections from the network 192.168.0.0/16 except for the subnet 192.168.12.0/24, and allow all other connections:
ALLOW:192.168.12.0 (255.255.255.0) –OR- ALLOW:192.168.12.*
DENY:192.168.0.0 (255.255.0.0) –OR- DENY:192.168.*
Yet again, ordering is crucial.
Here is where you view the ExpertAssist log files.
The active log file is at the top of the list and is named
DesktopAuthority.log. Older logs are stored with the naming convention DAYYYYMMDD.log. For example, the ExpertAssist log file for June 1st 2018 would be called DA20180601.log.
You can enable or disable logging to text files as you will, but ExpertAssist will always log the following events to the Windows Application Log:
The Application Log is used because of security considerations.
In addition, service start and stop events are always written to the
DesktopAuthority.log file, no matter whether logging is enabled or disabled. You can modify the settings for these logs under the Log Settings page of the Preferences section.
The last entry in the log file list is Download all logs in one compressed file. Click this to create and download a single zipped package with all the log files above.
Use the User Management Log section to view the logs of the activities performed during each remote management session on the EA host you are currently managing via EA. These activities are, for example, a registry key creation, stopping/running services, remote control session data, etc. (To view the overall EA activities logs, use the EA Logs page.)
The user management logs feature the following:
To view logs:
In the navigation pane of the EA Management Window, go Security -> User Management Log. The list of available SLOG log files will be shown on the page to the right in a table. Some of the columns are detailed below.
Table 7: User Management logs data.
The active log (DesktopAuthority.slog) is on top of the list. The active log logs activities performed during the period when the EA services were started and stopped.
The log for the oldest session is at the bottom of the list.
- The DesktopAuthority.slog file is the active log.
- Older logs are named according to the following convention DAYYYYMMDD_HHMMSS.slog.
For example, the user management log file for June 1st, 2018, will be entitled DA20180601_132125.slog.
Icon that indicates an SLOG file is invalid, i.e. modified (by other means than the EA application) or anyhow corrupted.
To filter logs:
You can filter logs by the following data:
To filter the list of logs: