Hello World,
In our previous post (xRDP – Easy install xRDP on Ubuntu 20.04,22.04,23.XX,24.04 (Script Version 1.5.1), we have been working a little bit our our famous xrdp-installer script. Since the numerous changes in Ubuntu 24.04 and xRDP latest releases, we had to update our script to remediate some of the issues detected. While working on the script, some users/readers were asking about improving security through the usage of SSL/TLS technology.
So, we decided to have a quick look on how to enable TLS secure connection when using xRDP software. So, let’s see how we can achieve this….
Overview
RDP is widely used within organizations and it provides really a convenient way to perform remote administration when a desktop interface is needed. However, because of its popularity, RDP is also the target of attacks. One way to improve security of the RDP protocol is to enable SSL/TLS encryption feature in order to encrypt and secure the xRDP connections. After some readings and research, I’m happy to let you know that xRDP software do offer the possibility to use TLS technology. In the next section, we will provide the necessary instructions that can be used to enable TLS protocol when using xRDP software solution.
Assumptions
We have performed this exercise on a machine running Ubuntu 24.04 and we have been using the latest release of xrdp software package (i.e. 0.10.x). In our demo, we have used a self signed certificate. Obviously, as long as you trust the certificate you want to use, you can also use third-party certificates.
Out-of-the-Box Configuration
Out of the box, xRDP allows you to perform remote connection to your Linux machine. If you have performed a default installation, the connection security layer is using the setting negotiate. The rdp connection could be improved if the security layer would be using TLS option. So, in order to control the security layer options, you can edit and configure accordingly the file
/etc/xrdp/xrdp.ini
We have copied over the xrdp.ini content file and outline in red the settings we are interested in
griffon@hp01:~$ cat /etc/xrdp/xrdp.ini
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
; ports to listen on, number alone means listen on all interfaces
; 0.0.0.0 or :: if ipv6 is configured
; space between multiple occurrences
; ALL specified interfaces must be UP when xrdp starts, otherwise xrdp will fail to start
;
; Examples:
; port=3389
; port=unix://./tmp/xrdp.socket
; port=tcp://.:3389 127.0.0.1:3389
; port=tcp://:3389 *:3389
; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389
; port=tcp6://.:3389 ::1:3389
; port=tcp6://:3389 *:3389
; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389
; port=vsock://<cid>:<port>
port=3389
; 'port' above should be connected to with vsock instead of tcp
; use this only with number alone in port above
; prefer use vsock://<cid>:<port> above
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
; set tcp send/recv buffer (for experts)
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=negotiate
; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
; set TLS cipher suites
#tls_ciphers=HIGH
(...)
As you can see, with this configuration (the out-of-the-box configuraiton), no certificates are used to secure the connection and the security layer is set to negotiate.
Enabling TLS option in xRDP Software solution
To enable TLS option, we will need to use or obtain some SSL/TLS certificates. By default, xRDP will use self-signed certificates and these certificates can be found under
/etc/xrdp/
In this folder, you will see 2 files
- cert.pem
- key.pem
In our setup, we will use the self signed certificates provided by the xRDP software. In order to enable TLS protocol, we will simply need to update the /etc/xrdp/xrdp.ini file. Again, we have provide an extract of such file and outline in green the elements that needs to be updated in order to enable the TLS protocol.
griffon@beta2404:~$ cat /etc/xrdp/xrdp.ini
[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
; ports to listen on, number alone means listen on all interfaces
; 0.0.0.0 or :: if ipv6 is configured
; space between multiple occurrences
; ALL specified interfaces must be UP when xrdp starts, otherwise xrdp will fail to start
;
; Examples:
; port=3389
; port=unix://./tmp/xrdp.socket
; port=tcp://.:3389 127.0.0.1:3389
; port=tcp://:3389 *:3389
; port=tcp://<any ipv4 format addr>:3389 192.168.1.1:3389
; port=tcp6://.:3389 ::1:3389
; port=tcp6://:3389 *:3389
; port=tcp6://{<any ipv6 format addr>}:3389 {FC00:0:0:0:0:0:0:1}:3389
; port=vsock://<cid>:<port>
port=3389
; 'port' above should be connected to with vsock instead of tcp
; use this only with number alone in port above
; prefer use vsock://<cid>:<port> above
use_vsock=false
; regulate if the listening socket use socket option tcp_nodelay
; no buffering will be performed in the TCP stack
tcp_nodelay=true
; regulate if the listening socket use socket option keepalive
; if the network connection disappear without close messages the connection will be closed
tcp_keepalive=true
; set tcp send/recv buffer
; These parameters are largely historic. On systems with dynamic TCP
; buffer sizes, setting them manually will either impact performance or
; waste memory
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768
; security layer can be 'tls', 'rdp' or 'negotiate'
; for client compatible layer
security_layer=tls
; minimum security level allowed for client for classic RDP encryption
; use tls_ciphers to configure TLS encryption
; can be 'none', 'low', 'medium', 'high', 'fips'
crypt_level=high
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=/etc/xrdp/cert.pem
key_file=/etc/xrdp/key.pem
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
; set TLS cipher suites
tls_ciphers=HIGH
(...)
As you can see, we simply need to update some of the value in this file to ensure that a secure TLS connection can be initiated when using the xRDP software solution.
Apply the changes
In order to have these settings applied on your xRDP machine, you will need to restart the xrdp services. You can also decide to reboot the machine completely.
sudo systemctl restart xrdp sudo systemctl status xrdp
After this, you can perform your remote connection as usual. The only difference is that now your connection is encrypted through the usage of TLS technology.
Final Notes
This is it for this post !
Enabling TLS connection support in xRDP is really not that difficult. You basically need to change some configuration settings and restart the services in order to improve your security while using the RDP protocol. The change is not immediately visible. One way to ensure that TLS is effectively in use, you could use wireshark and perform a network capture when performing your remote connection. You should see in the capture that TLS protocol is indeed in used.
It’s up to you if you want to use this feature and improve general security when using xRDP Software. We think that we will enable this feature by default on our systems in order to improve a little bit our security posture….
Till next time
See ya