Fail2ban jail

Forums / NoMachine for Linux / Fail2ban jail

Tagged: 

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #12549
    Avatarty
    Participant

    Hi,

    I’m trying out NoMachine on a Ubuntu 16.04.1 system that uses fail2ban and I’m wondering if anyone has successfully configured fail2ban for NoMachine.

    I’m learning about fail2ban at the moment however some assistance from someone who has this working would be greatly appreciated.

    The 2 scenario’s I’m keen to address are: attempts to connect with incorrect public key, attempts to login after using correct public key.

    Remote machine: Ubuntu 16.04.1 desktop (GNOME I think), NoMachine free, latest version

    Local machine: OSX El Capitan, NoMachine free, latest version

    #12603
    Avatarty
    Participant

    I’m still searching around for anything that might help with this problem.  I found this from FreeNX (which I believe is a precursor to NoMachine) at a KDE mailing list in 2011

    https://mail.kde.org/pipermail/freenx-knx/2011-May/009301.html

    Can anyone shed some light on what the NoMachine log file would have in it when failed authentication occurs? This seems to be the key bit of information to block IP addresses that are attempting to connect too often.

    #12616
    Avatarnars
    Contributor

    Hello ty,

    log entries for NoMachine 5.1.54 free related to failed authentications are listed below.

    Logs of failed authentication are stored in /usr/NX/var/log/nxserver.log without enabling any additional debug modes. Just keep log level at 6 what is default.

     

    a) Incorrect login log

    2016-10-06 11:54:58 111.214  5478 NXSERVER ERROR! Sending error message ‘NX> 404 ERROR: Wrong password or Login.’

     

    b) Incorrect password log

    2016-10-06 12:05:56 953.011  5495 NXSERVER ERROR! Sending error message ‘NX> 404 ERROR: Wrong password or Login.’

     

    c) Incorrect key log

    2016-10-06 12:23:04 676.653  5840 NXSERVER ERROR! Sending error message ‘NX> 500 ERROR: Cannot accept public key. ‘

     

    Regards.

    #12647
    Avatarty
    Participant

    Thanks for the reply nars.  I appreciate the help.

    Do you happen to know if the logs allow me to find out the IP address where the login attempt originated?  It looks like that information isn’t present in the nxserver.log example you have kindly provided.

    The idea is to identify the IP addresses of systems that are failing to login and ban them in the firewall for a period of time.  Hopefully this will help discourage scripts from trying to brute force the server i.e. fail a few times within an hour and the IP is banned until tomorrow.

    #12661
    Avatarnars
    Contributor

    In the case of incorrect login/password you can find in default mode logs a line like

    2016-10-06 11:54:58 110.837  5478 NXSERVER ERROR! wrong ‘nxexec authentication’ for user ‘nomachine1’ from ‘10.0.1.61’.

    which unambiguously indicates a problem with logging and contains client IP.

    In the case of wrong certificate it is more difficult. There are no log line contains both client IP and information about wrong authentitation. To get it you may activate a server debug log (set “SessionLogLevel 7” in /usr/NX/etc/server.cfg configuration file) and find line informing about client connecting using the same nxserver –login process PID for example by run as root:

     PID=grep -i "ERROR: Cannot accept public key" /usr/NX/var/log/nxserver.log | tail -1 | sed 's/NXSERVER ERROR.*//g' | awk '{ print $NF }'

    cat /usr/NX/var/log/nxserver.log | grep “Local IP determined from NX_CONNECTION” | grep $PID | tail -1 | sed ‘s/.*NX_CONNECTION: //g’ | cut -f 1 -d ” “

    which returns an client IP adress as result.

    Please note that keeping server in debug mode for a long time consumes a lot of disc space.

     

    Regards.

Viewing 5 posts - 1 through 5 (of 5 total)

This topic was marked as solved, you can't post.