mobileFX Spartan RDP Guard
In This Topic
    WebSocket JSON API
    In This Topic

    Spartan RDP Guard service implements a secure WebSocket server that exposes a JSON API. With this API you can control the service and receive instant notifications of attacks.

    Events

    RT_ATTACK

    This event occurs as soon as Spartan detects an attack to your server and it is real-time. The event is emitted for security records that occur after the Spartan service has started, thus filtering out past records in Event Log.

    RT_ATTACK Event
    Copy Code
    {
        "id": 0,
        "type": "event",
        "method": "RT_ATTACK",
        "status": true,
        "response":
        {
            "IP": "<remote ip>",
            "CN": "<iso2 country code>"
        }
    }

     

    Methods

    Calling a method requires establishing a secure WebSocket connection to Spartan server.

    For every request you make you must provide a unique identifier that you must increment by one (1) every time you make a new call to the server.

    Spartan server will respond to your requests one-by-one using the unique identifier in the response.

    A status of boolean true indicates the request was successfully served and data are placed inside the "response" object.

    All responses are of type "response".

     

    LOGIN

    Method LOGIN must be called in order to obtain an OAuth Token from Spartan server. You must keep this token and re-transmit it to the server for every subsequent method call.

    When calling LOGIN you must provide the MD5 hash of the password.

    LOGIN Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "LOGIN",
        "password": "<password_md5>"
    }
    LOGIN Response
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "LOGIN",
        "response":
        {
            "token": "<OAuth_Token>"
        },
        "status": true,
        "type": "response"
    }

    GET_DATASET

    Method GET_DATASET returns one or more datasets from Spartan database. You can define the dataset(s) you need by setting the "dataset" property to a valid SPARTAN_REQUEST_DATA_ENUM value.

    Spartan Datasets Enumeration
    Copy Code
    enum SPARTAN_REQUEST_DATA_ENUM
    {
     REQUEST_DATA_CONFIG = 1,
     REQUEST_DATA_ALLOWED = 2,
     REQUEST_DATA_DYNDNS = 4,
     REQUEST_DATA_BLOCKED = 8,
     REQUEST_DATA_ATTACKS = 16,
     REQUEST_DATA_MAP = 32
    };
    GET_DATASET Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "dataset": <SPARTAN_REQUEST_DATA_ENUM>,
        "token": "<OAuth_Token>"
    }

    Spartan server will respond with a JSON containing one or more sections:

    Section Section description and sub-sections
    ALLOWED An array of allowed IPv4 addresses.
    ATTACKS

    An array of ATTACK objects. Each attack object is an array with the following entries.

    ID The unique identifier of the attack in Spartan database.
    EventID The unique identifier of the attack in Windows Event Log.
    Date The Zulu date of the attack (you would need to convert it to local time zone).
    Remote IP The remote IPv4 address of the attack.
    Country The ISO2 country code of the IPv4 address. 

     

    BLOCKED

    An array of BLOCK objects. Each block object is an array with the following entries.

    Remote IP The remote IPv4 address being blocked.
    Date The Zulu date the block was made (you would need to convert it to local time zone).
    Country The ISO2 country code of the IPv4 address. 

     

    DYNDNS An array of domain names.
    MAP An unordered map of country names where for each country A is the number of attacks and B is the number of blocked IPv4 addresses.  
    CONFIG A dictionary of Spartan service settings.

     

    GET_DATASET Response
    Copy Code
    {
      "dataset": <SPARTAN_REQUEST_DATA_ENUM>,
      "id": <unique_sequence_integer>,
      "method": "GET_DATASET",
      "response": {
        "ALLOWED": [
          "127.0.0.1"
        ],
        "ATTACKS": [
          [
            "14449",
            "7589866",
            "2021-04-05T11:17:17.212553200Z",
            "125.227.51.202",
            "TW"
          ]
        ],
        "BLOCKED": [
          [
            "45.134.26.16",
            "2021-04-05T08:25:06.732644800Z",
            "RU"
          ]
        ],
        "DYNDNS": [
          "company.dyndns-office.com"
        ],
        "MAP": {
          "CN": {
            "A": "44",
            "B": "89"
          }
        },
        "CONFIG": {
          "Interval_DynDNS_Resolve_Minutes": 5,
          "Interval_EventLog_Audit_Seconds": 5,
          "Max_Records_Attacks": 5000,
          "SSL_CA_File_PEM": "ssl/CA.pem",
          "SSL_Cert_File_PEM": "ssl/www_company_com.pem",
          "SSL_Disable_SSLv2": true,
          "SSL_Disable_SSLv3": true,
          "SSL_Disable_TLSv1": true,
          "SSL_Disable_TLSv1_1": true,
          "SSL_Disable_TLSv1_2": false,
          "SSL_Force_Secure": true,
          "SSL_Key_File_PEM": "ssl/www_company_com.key",
          "Server_AllowPublicAccess": true,
          "Server_Bind_IP": "0.0.0.0",
          "Server_Bind_Port": 9543,
          "Server_BlockAttacksToSpartanService": false
        }   
      },
      "status": true,
      "type": "response"
    }

    SET_CONFIG

    Method SET_CONFIG updates Spartan configuration and settings. To retreive settings you must first call GET_DATASET with REQUEST_DATA_CONFIG.

    Please note you cannot set passwords using Spartan API.

    SET_CONFIG Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "SET_CONFIG",
        "token": "<OAuth_Token>",
        "data":
        {
            "Interval_DynDNS_Resolve_Minutes": 5,
            "Interval_EventLog_Audit_Seconds": 5,
            "Max_Records_Attacks": 5000,
            "SSL_CA_File_PEM": "ssl/CA.pem",
            "SSL_Cert_File_PEM": "ssl/www_company_com.pem",
            "SSL_Disable_SSLv2": true,
            "SSL_Disable_SSLv3": true,
            "SSL_Disable_TLSv1": true,
            "SSL_Disable_TLSv1_1": true,
            "SSL_Disable_TLSv1_2": false,
            "SSL_Force_Secure": true,
            "SSL_Key_File_PEM": "ssl/www_company_com.key",
            "Server_AllowPublicAccess": true,
            "Server_Bind_IP": "0.0.0.0",
            "Server_Bind_Port": 9543,
            "Server_BlockAttacksToSpartanService": false
        }
    }
    SET_CONFIG Response
    Copy Code
    {
        "id": 3,
        "method": "SET_CONFIG",
        "response": {},
        "status": true,
        "type": "response"
    }

    ADD_BLOCKED

    Method ADD_BLOCKED adds arbitrary IPv4 addresses to Block list. Addresses are immediately added to Windows Firewall.

    ADD_BLOCKED Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "1.2.3.4",
            "5.6.7.8"
        ],
        "method": "ADD_BLOCKED"
    }
    ADD_BLOCKED Response
    Copy Code
    {
     "dataset": REQUEST_DATA_BLOCKED,
     "id": <unique_sequence_integer>,
     "method": "GET_DATASET",
     "response":
     {
      "BLOCKED":
      [  
       [
        "45.134.26.16",
        "2021-04-05T08:25:06.732644800Z",
        "RU"
       ],
       ...     
      ]
     },
     "status": true,
     "type": "response"
    }

    DEL_BLOCKED

    Method DEL_BLOCKED removes IPv4 addresses from Block list. Addresses are immediately removed from Windows Firewall.

    DEL_BLOCKED Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "1.2.3.4",
            "5.6.7.8"
        ],
        "method": "DEL_BLOCKED"
    }
    DEL_BLOCKED Response
    Copy Code
    {
     "dataset": REQUEST_DATA_BLOCKED,
     "id": <unique_sequence_integer>,
     "method": "GET_DATASET",
     "response":
     {
      "BLOCKED":
      [  
       [
        "45.134.26.16",
        "2021-04-05T08:25:06.732644800Z",
        "RU"
       ],
       ...     
      ]
     },
     "status": true,
     "type": "response"
    }

    ADD_ALLOW

    Method ADD_ALLOW adds IPv4 addresses to Allow list and removes them from Block list. Addresses are immediately synchronized with Windows Firewall.

    ADD_ALLOW Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "1.2.3.4",
            "5.6.7.8"
        ],
        "method": "ADD_ALLOW"
    }
    ADD_ALLOW Response
    Copy Code
    {
        "dataset": REQUEST_DATA_ALLOWED,
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "response":
        {
            "ALLOWED":
            [
                "127.0.0.1"            
            ]
        },
        "status": true,
        "type": "response"
    }

    DEL_ALLOW

    Method DEL_ALLOW removes IPv4 addresses from Allow list.

    DEL_ALLOW Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "1.2.3.4",
            "5.6.7.8"
        ],
        "method": "DEL_ALLOW"
    }
    DEL_ALLOW Response
    Copy Code
    {
        "dataset": REQUEST_DATA_ALLOWED,
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "response":
        {
            "ALLOWED":
            [
                "127.0.0.1"            
            ]
        },
        "status": true,
        "type": "response"
    }

    ADD_DYNDNS

    Method ADD_DYNDNS adds domains to DynDNS list and immediately resolves them by adding them to Allow list and removing them from Block list. Addresses are immediately synchronized with Windows Firewall.

    ADD_DYNDNS Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "office.dyndns.com"
        ],
        "method": "ADD_DYNDNS"
    }
    ADD_DYNDNS Response
    Copy Code
    {
        "dataset": REQUEST_DATA_DYNDNS,
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "response":
        {
            "DYNDNS":
            [
                "company.dyndns.com"
            ]
        },
        "status": true,
        "type": "response"
    }

    DEL_DYNDNS

    Method DEL_DYNDNS removes domains from DynDNS list.

    DEL_DYNDNS Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "token": "<OAuth_Token>",
        "data":
        [
            "office.dyndns.com"
        ],
        "method": "DEL_DYNDNS"
    }
    DEL_DYNDNS Response
    Copy Code
    {
        "dataset": REQUEST_DATA_DYNDNS,
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "response":
        {
            "DYNDNS":
            [
                "company.dyndns.com"
            ]
        },
        "status": true,
        "type": "response"
    }

     

    RESOLVE_DYNDNS

    Method RESOLVE_DYNDNS resolves domains to IPv4 addresses.

    RESOLVE_DYNDNS Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "RESOLVE_DYNDNS",
        "token": "<OAuth_Token>"
    }
    RESOLVE_DYNDNS Response
    Copy Code
    {
        "dataset": REQUEST_DATA_ALLOWED,
        "id": <unique_sequence_integer>,
        "method": "GET_DATASET",
        "response":
        {
            "ALLOWED":
            [
                "127.0.0.1"            
            ]
        },
        "status": true,
        "type": "response"
    }

     

    IMPORT_EVTX

    Method IMPORT_EVTX imports an Eventlog EVTX file to Spartan database. This includes importing attacks and blocking IPv4 addresses. The import is taking place on Spartan server and file must be available on the server.

    IMPORT_EVTX Request
    Copy Code
    {
        "id": <unique_sequence_integer>,
        "method": "IMPORT_EVTX",
        "file": "E:/audit.evtx",
        "token": "<OAuth_Token>"
    }
    IMPORT_EVTX Response
    Copy Code
    {
     "dataset": REQUEST_DATA_BLOCKED | REQUEST_DATA_ATTACKS,
     "id": <unique_sequence_integer>,
     "method": "GET_DATASET",
     "response":
     {
      "ATTACKS":
      [ 
       [
        "14449",
        "7589866",
        "2021-04-05T11:17:17.212553200Z",
        "125.227.51.202",
        "TW"
       ],
       ...
      ], 
      "BLOCKED":
      [   
       [
        "45.134.26.16",
        "2021-04-05T08:25:06.732644800Z",
        "RU"
       ],
       ...      
      ],
     },
     "status": true,
     "type": "response"
    }

    See Also