- This topic has 2 replies, 2 voices, and was last updated 1 year ago by
.
-
Posts
-
Hello,
We are running Fail2Ban 1.0.2 and NoMachine version 8.9.1. We set up our jails for nxd and nxauth following NoMachine KB AR05P00983. We modified the max retry for nxauth for 4 and the find time to be 20 minutes. Fail2ban finds IPs for failed passwords in the logs (strangely for nxd and not nxauth?), but does not issue a ban after more than 4 failed attempts:
2023-11-27 09:41:23,457 fail2ban.server [2457454]: INFO Starting Fail2ban v1.0.2
2023-11-27 09:41:23,458 fail2ban.observer [2457454]: INFO Observer start…
2023-11-27 09:41:23,464 fail2ban.database [2457454]: INFO Connected to fail2ban persistent database ‘/var/lib/fail2ban/fail2ban.sqlite3’
2023-11-27 09:41:23,465 fail2ban.jail [2457454]: INFO Creating new jail ‘sshd’
2023-11-27 09:41:23,475 fail2ban.jail [2457454]: INFO Jail ‘sshd’ uses systemd {}
2023-11-27 09:41:23,475 fail2ban.jail [2457454]: INFO Initiated ‘systemd’ backend
2023-11-27 09:41:23,476 fail2ban.filter [2457454]: INFO maxLines: 1
2023-11-27 09:41:23,493 fail2ban.filtersystemd [2457454]: INFO [sshd] Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
2023-11-27 09:41:23,493 fail2ban.filter [2457454]: INFO maxRetry: 4
2023-11-27 09:41:23,493 fail2ban.filter [2457454]: INFO findtime: 1200
2023-11-27 09:41:23,493 fail2ban.actions [2457454]: INFO banTime: 3600
2023-11-27 09:41:23,493 fail2ban.filter [2457454]: INFO encoding: UTF-8
2023-11-27 09:41:23,494 fail2ban.jail [2457454]: INFO Creating new jail ‘nxauth’
2023-11-27 09:41:23,502 fail2ban.jail [2457454]: INFO Jail ‘nxauth’ uses pyinotify {}
2023-11-27 09:41:23,507 fail2ban.jail [2457454]: INFO Initiated ‘pyinotify’ backend
2023-11-27 09:41:23,508 fail2ban.datedetector [2457454]: INFO date pattern'%Y-%m-%d %H:%M:%S':Year-Month-Day 24hour:Minute:Second
2023-11-27 09:41:23,509 fail2ban.filter [2457454]: INFO maxRetry: 10
2023-11-27 09:41:23,509 fail2ban.filter [2457454]: INFO findtime: 1200
2023-11-27 09:41:23,509 fail2ban.actions [2457454]: INFO banTime: 3600
2023-11-27 09:41:23,509 fail2ban.filter [2457454]: INFO encoding: UTF-8
2023-11-27 09:41:23,509 fail2ban.filter [2457454]: INFO Added logfile: ‘/usr/NX/var/log/nxserver.log’ (pos = 427745, hash = 74bb20d4bbd8dfbfe13e284b63f655490ce383f0)
2023-11-27 09:41:23,510 fail2ban.jail [2457454]: INFO Creating new jail ‘nxd’
2023-11-27 09:41:23,510 fail2ban.jail [2457454]: INFO Jail ‘nxd’ uses pyinotify {}
2023-11-27 09:41:23,515 fail2ban.jail [2457454]: INFO Initiated ‘pyinotify’ backend
2023-11-27 09:41:23,516 fail2ban.datedetector [2457454]: INFO date pattern'%a %b %d %H:%M:%S %Y':DAY MON Day 24hour:Minute:Second Year
2023-11-27 09:41:23,516 fail2ban.filter [2457454]: INFO maxRetry: 20
2023-11-27 09:41:23,516 fail2ban.filter [2457454]: INFO findtime: 5
2023-11-27 09:41:23,517 fail2ban.actions [2457454]: INFO banTime: 86400
2023-11-27 09:41:23,517 fail2ban.filter [2457454]: INFO encoding: UTF-8
2023-11-27 09:41:23,517 fail2ban.filter [2457454]: INFO Added logfile: ‘/usr/NX/var/log/nxd.log’ (pos = 180042, hash = fbdad8065b5931fdc99d9719af00604c8b648b82)
2023-11-27 09:41:23,518 fail2ban.jail [2457454]: INFO Jail ‘sshd’ started
2023-11-27 09:41:23,520 fail2ban.filtersystemd [2457454]: INFO [sshd] Jail is in operation now (process new journal entries)
2023-11-27 09:41:23,520 fail2ban.jail [2457454]: INFO Jail ‘nxauth’ started
2023-11-27 09:41:23,521 fail2ban.jail [2457454]: INFO Jail ‘nxd’ started
2023-11-27 09:43:44,942 fail2ban.filter [2457454]: INFO [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:44
2023-11-27 09:43:47,978 fail2ban.filter [2457454]: INFO [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:47
2023-11-27 09:43:50,478 fail2ban.filter [2457454]: INFO [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:50
2023-11-27 09:43:54,432 fail2ban.filter [2457454]: INFO [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:54
2023-11-27 09:43:54,884 fail2ban.actions [2457454]: NOTICE [sshd] Ban xxx.xxx.xxx.xxx
2023-11-27 09:45:32,284 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:45:32
2023-11-27 09:46:46,932 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:46
2023-11-27 09:46:50,199 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:50
2023-11-27 09:46:54,205 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:54
2023-11-27 09:46:57,488 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:57
2023-11-27 09:47:01,465 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:01
2023-11-27 09:47:05,159 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:05
2023-11-27 09:47:08,947 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:08
2023-11-27 09:47:12,859 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:12
2023-11-27 09:47:16,827 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:16
2023-11-27 09:47:20,519 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:20
2023-11-27 09:47:25,778 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:25
2023-11-27 09:47:30,042 fail2ban.filter [2457454]: INFO [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:30From the above, you can see that it does issue bans for the SSHD jail, so that is working as expected. Here are the conf files for this host:
[root@localhost ~]# cat /etc/fail2ban/jail.local
#
# Configure fail2ban to block hosts with 4 failed
# passwords in 20 minutes. Ban for 1 hour.
#
[sshd]
enabled = true
bantime = 3600
findtime = 1200
maxretry = 4
action = nftables-allports
chain = INPUT
ignoreip = 127.0.0.1/8#
# Configure fail2ban to block hosts with 4 failed
# passwords in 20 minutes. Ban for 1 hour.
#
[nxauth]
enabled = true
port = 4000
filter = nxauth
logpath = /usr/NX/var/log/nxserver.log
maxretry = 4
findtime = 1200
bantime = 3600
action = nftables-allports
chain = INPUT
ignoreip = 127.0.0.1/8#
# Configure fail2ban to block DDoS attacks on NoMachine
# (20 connections in 5 seconds or less). Ban for 1 day.
#
[nxd]
enabled = true
port = 4000
filter = nxd
logpath = /usr/NX/var/log/nxd.log
maxretry = 20
findtime = 5
bantime = 86400
action = nftables-allports
chain = INPUT
ignoreip = 127.0.0.1/8[root@localhost ~]# cat /etc/fail2ban/filter.d/nxd.conf
#
# Fail2Ban filter for NoMachine.
#[Definition]
#
# Regex matches all accepted NX protocol connections.
#failregex = ^Info: Connection from <HOST> port \d+ accepted on.*$
ignoreregex =
datepattern = %%a %%b %%d %%H:%%M:%%S %%Y
[root@localhost ~]# cat /etc/fail2ban/filter.d/nxauth.conf
#
# Fail2Ban filter for NoMachine.
#[Definition]
#
# The default regex matches all the supported authentication methods
# for connections by NX protocol, which are:
# password : Password authentication.
# private-key: Key-based authentication.
# kerberos : Kerberos ticket-based authentication.
#
# For example, set the regex to match password based authentication
# method:
#
# method=password
#
# Most common error messages:
#
# Method: password
# ErrorMsg: Wrong password or login
#
# Method: private-key
# ErrorMsg: Public key not recognized
# ErrorMsg: Wrong signature
#
# Method: kerberos
# ErrorMsg: Kerberos GSS token is not verified
# ErrorMsg: Kerberos GSS user is not valid
# ErrorMsg: Kerberos GSS MIC is not verified
#method=[^’]*
errorMsg=[^’]*failregex = ^.*ERROR! Authentication with ‘.*%(method)s.*’ from host ‘<HOST>’ failed\. Error is ‘%(errorMsg)s’\.$
ignoreregex =
datepattern = %%Y-%%m-%%d %%H:%%M:%%S
We wonder if fail2ban is looking at the nxd conf but not the nxauth conf for failed passwords and therefore the max attempts for nxd in the jail.local (set to 20 to block DoS attacks) is taking effect? Any help would be appreciated.
Right after posting, I discovered the problem which was some sort of character transaltion error caused by copy/paste that changed the single quotes in the nxauth.conf file into a single quote with a curl, also known as “curly quotes.” Anyway, after correcting this, everything works as expected.
This topic was marked as solved, you can't post.