NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR05P00983
Applies to: NoMachine Software
Added on: 2018-05-31
Last update: 2020-09-11
How to use NoMachine with Fail2ban for connections by NX protocol

Fail2ban is an utility, available for Linux and Mac, to scan log files and prevent brute force attacks and limit login attempts:

https://www.fail2ban.org/wiki/index.php/Main_Page

 

Fail2ban can be used to monitor also NoMachine logs, in particular the nxserver.log and nxd.log files and perform the necessary actions. The nxd.log file is relevant only for connections by NX protocol. Authentication attempts by SSH are logged in the system log file.

Since v. 6.2, each NoMachine server package includes two filter files to be used with Fail2ban:

1)  <NoMachine installation directory>/share/fail2ban/nxauth.conf 

This filter allows to identify authentication procedure errors. By default the specified regex matches all errors, but it can be modified to match specific cases. More details and example are evailable in the comment section of nxauth.conf.

2) <NoMachine installation directory>/share/fail2ban/nxd.conf   

This filter allows to identify all accepted connections by nxd.

 

Some practical examples

Example 1: set-up Fail2Ban to prevent brute force attack on connections by NX protocol

Fail2ban can be used in many ways, please refer to the official documentation of this program for more instructions.
The following examples set-up Fail2Ban to prevent brute force attack (ban the remote IP that fails to authenticate with any authentication method 10 times in last 10 minutes) and a specific DoS on nxd (ban the remote IP that creates 20 connections in last 5 seconds).
 

Pre-requisites: if not already present, ensure to have Fail2ban and Iptables installed on your system. This example relies on the Iptables firewall to ban the remote IP.

Step 1 - Copy:

(i) <NoMachine installation directory>/share/fail2ban/nxd.conf and

(ii) <NoMachine installation directory>/share/fail2ban/nxauth.conf to: 

/etc/fail2ban/filter.d/
 

Step 2 - Open /etc/fail2ban/jail.conf file and add two jails, one for nxd.conf one for nxauth.conf:

[nxauth]

enabled  = true
port     = 4000
filter   = nxauth
logpath  = /usr/NX/var/log/nxserver.log
maxretry = 10
action   = iptables-allports
findtime = 600
bantime  = 600

[nxd]

enabled  = true
port     = 4000
filter   = nxd
logpath  = /usr/NX/var/log/nxd.log
maxretry = 20
action   = iptables-allports
findtime = 5
bantime  = 600
 

bantime  - Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.
findtime -  Number of seconds that fail2ban will pay attention to find what's specified in filter. The counter is set to zero if no match is found within "findtime" seconds.
maxretry - Number of occurences of regex in logs specified in filter. It corresponds to number of matches (i.e. value of the counter) which triggers ban action on the IP.

(Ref. https://www.fail2ban.org/wiki/index.php/MANUAL_0_8)


Step 3 - Make the Fail2ban server to reload the configuration by running:

fail2ban-client reload

This will enable the new nxd and nxauth jails.


Example 2: set-up Fail2Ban to work with nxhtd with mod_evasive enabled

With the implementation of this Feature Request, https://www.nomachine.com/FR02R03938, the built-in apache web server (nxhtd) includes the mod_evasive module. When enabled, it can be used in conjunction with Fail2Ban as in the example below.

Step 1 - Enable mode_evasive in nxhtd

Instructions are available here: https://www.nomachine.com/AR02R01078

 

Step 2 - Create a filter for nxhtd

Create for example the /etc/fail2ban/filter.d/nxhtd-evasive.conf file with the following content:

#
# Fail2Ban filter for NoMachine.
#

[Definition]

#
# Regex matches all connection denied from single IP by nxhtd with
# enabled mod_evasive.
#

failregex = ^.*\[client <HOST>(:\d{1,5})?\] client denied by server configuration:.*$

ignoreregex =
 

Step 3 - Open /etc/fail2ban/jail.conf file and a jail for nxhtd-evasive:

[nxhtd-evasive]

enabled = true
port = 4080,4443
logpath = /usr/NX/var/log/nxhtd-error.log
maxretry = 1
action = iptables-allports
findtime = 600
bantime = 600


Step 4 - Make the Fail2ban server to reload the configuration by running:

fail2ban-client reload

This will enable the new nxhtd-evasive jail.