How to find disconnected xrdp sessions?
Solution 1:
Here is a way to obtain a list of disconnected xrdp sessions. It relies on the fact that the xrdp server is, in normal X session manager usage, the only client that establishes a TCP connection to the Xvnc X Window System display server. When an xrdp session is active, the associated Xvnc display server has two TCP connections, one in the ESTABLISHED state, and the other in the LISTEN state. That looks something like this using the lsof(1) program.
$ sudo lsof -b -w -n -c /^Xvnc$/b -a -iTCP:5900-5999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Xvnc 1625 guest 1u IPv4 252910 0t0 TCP 127.0.0.1:5910 (LISTEN)
Xvnc 1625 guest 9u IPv4 261226 0t0 TCP 127.0.0.1:5910->127.0.0.1:35242 (ESTABLISHED)
If the user of the remote session abandons it by closing the RDP connection (or, in the case of an Apache Guacamole RDP session, by closing the browser window) it looks something like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Xvnc 1625 guest 1u IPv4 252910 0t0 TCP 127.0.0.1:5910 (LISTEN)
Notice there's no ESTABLISHED connection on this disconnected Xvnc display server process. So, any Xvnc process that's only listening is a disconnected session.
Here's a shell script (named lsdisconnected) that displays the PID and USER for each disconnected remote session. It uses lsof(1) and gawk(1) to implement the connection logic.
#!/bin/bash
sudo lsof -FRgpLT -b -w -n -c /^Xvnc$/b -a -iTCP:5900-5999 |
gawk '
match($0,/^p([0-9]+)/, p) {pid = p[1]; pids[pid]=0; } ;
match($0,/^L([A-Za-z0-9]+)/, p) {user[pid] = p[1]; } ;
/TST=LISTEN/ {pids[pid] = pids[pid] - 1 ;};
/TST=ESTABLISHED/{pids[pid] = pids[pid] + 1};
END {
for (pid in pids){
if (pids[pid] < 0) {
print pid, user[pid];
}
}};
'
This is a handy way to find disconnected remote desktop sessions; it works immediately upon disconnection, without needing to use an idle time.
For those who may not be familiar with lsof(1) here's an explanation of the command line parameters in this example.
-b -wavoids lsof kernel waits. They're not needed here.-navoids DNS lookups for hostnames.-c /^Xvnc$/blooks for processes with the exact command name Xvnc, using a regex.-atells lsof to use AND, not OR, when filtering.-iTCP:5900-5999filters by TCP ports numbered 5900 - 5999, the ones used for X display connections.)
Solution 2:
I finally found a solution to this.
First of all, I had to install a small program called xprintidle:
sudo apt-get install xprintidle
After that I wrote a small bash script that first fetches all displayes used by Xvnc and xrdp and then checks those display sessions if they've been idle for more than a number of minutes:
#!/bin/bash
displays=`ps aux | grep Xvnc | grep -v 'grep\|sed' | sed -r 's|.*(Xvnc :[0-9]*).*|\1|' | cut -d' ' -f 2`
limit=180
date
echo "Checking for inactive sessions!"
while read -r d; do
export DISPLAY=$d
idle=`xprintidle`
idleMins=$(($idle/1000/60))
if [[ $idleMins -gt $limit ]]; then
echo "WARN Display $d is logged in for longer than ${limit}min (${idleMins}m)"
else
echo "INFO Display $d is still ok (${idleMins}m)"
fi
done <<< "$displays"