Article ID: 117863, created on Oct 10, 2013, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo containers for Windows

Symptoms

  1. The vzctl enter <ctid> command fails with the following error:

    C:\>vzctl enter 1164
    ERROR: Response timeout for operation 'exec'
    Environment is not changed.
    Command 'enter' is successfully finished
    

    or:

    C:\>vzctl enter 1164
    ERROR: Container 1164 is not ready to complete the operation 'l_FindExecerByVpsId'
    Environment is not changed.
    Command 'enter' is successfully finished
    

    or:

    C:\>vzctl enter 1164
    VZExec: Returned with code -1073741502
    Command 'enter' is successfully finished
    
  2. A large number of events with ID 1012 appear in the Windows Security log of the container:

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          9/30/2013 5:21:21 AM
    Event ID:      1012
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      vps
    Description:
    Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
    
  3. A large number of events with ID 4005 appear in the Application log of the container:

    Log Name:      Application
    Source:        Microsoft-Windows-Winlogon
    Date:          29.07.2015 10:23:09
    Event ID:      4005
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      VPS
    Description:
    The Windows logon process has unexpectedly terminated.
    
  4. Containers can hang in transition state.

  5. In the case of a large amount of containers experiencing the same problem, the node may completely hang with all CPUs spiking to 100% load.

Cause

Containers are experiencing Remote Desktop (RDP) brute-force Distributed Denial of Service (DDoS) attacks.

Resolution

Security measures should be enhanced by the administrator of the node/container. Possible security measures include:

  1. Analyze the security log and block common attacker networks with a firewall.

  2. Change the RDP port for the container. This Microsoft article explains how: How to change the listening port for Remote Desktop.

    You can set a new port for a container from the node's command prompt by executing the following command:

    C:\>reg add "HKEY_LOCAL_MACHINE\vzCTID\MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v PortNumber /t REG_DWORD /d new_port /f
    

    (Replace CTID with the correct container's ID value, keeping vz in the registry key name, and replace new_port with the desired port number.)

    If you want to set a different RDP port for all running containers, execute the following command:

    C:\>for /f %i in ('vzlist -Ho veid') do reg add "HKEY_LOCAL_MACHINE\vz%i\MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v PortNumber /t REG_DWORD /d new_port /f
    

    (Replace new_port with the desired port number.)

  3. Enable "Network Level Authentication" for such containers.

    Network Level Authentication (NLA) for Remote Desktop Services Connections can reduce the risk of denial-of-service attacks.

    • To enable NLA on the affected container only, follow this Microsoft article: Configure Network Level Authentication.

    • To enable NLA on all containers of the node, run the following command:

      C:\>for /f %i in ('vzlist -Ho veid') do reg add "HKEY_LOCAL_MACHINE\vz%i\MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
      
    • To automatically enable NLA for newly created containers, please download the attached script vz-postcreate.cmd and put it into the C:\vz\Scripts\ folder.

    (Please note that the folder can be, for example, D:\vz\Scripts. During the Parallels Virtuozzo Containers installation, the Scripts subfolder is automatically created in the folder you specified for storing all Container configuration files. By default, the C:\vz folder is used. However, you may have defined another path for this folder.)

Additional information

In order to identify the containers that experience the RDP brute-force attack, the following Powershell script can be used:

$out = select-string KlpcOnNewTerminalSession C:\vzlog\2013.10.11-vzlog.log
$ctids = (vzlist -Hao veid) -replace " ",""
$sessioncount = foreach ($ctid in $ctids) { $count = $out -match "ctid=$ctid" | measure | select -exp count ; "$ctid : $count" }
$sessioncount | sort-object { [double]$_.split(":")[-1] } –descending

In the script, the date of the log file should be changed to the actual one, and wildcards are accepted (like 2013.10.0*-vzlog.log). In addition, container IDs can be added explicitly:

$ctids = 101, 102, 103

An example of the output:

1014 : 3048
1028 : 1229
2541 : 1180
1126 : 1124
1002 : 1102
1212 : 1086
3211 : 1063
3231 : 1056

The first column represents container IDs and the second column is the number of created RDP sessions for the specified logging period.

Search Words

Shutdown initiated while waiting for LogonUI in container

nla

brute-force

ddos

fdsfasf

network layer authentication

request container not found

rdp

Remote session from client name a exceeded the maximum allowed failed logon attempts

vps provision timeout

The session was forcibly terminated

transitional status

can not enter VPS

Environment is not changed

vzctl enter

PCWIN-16724

На большинстве контейнеров не работает РДП (застревает)

Response timeout for operation 'exec'

sql 100%

remote desktop

d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223 965b49118115a610e93635d21c5694a8

Email subscription for changes to this article
Save as PDF