Fail2Ban – not banning

Forum / NoMachine for Linux / Fail2Ban – not banning

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #46140
    sdungan
    Participant

    Hello,

    We are running Fail2Ban 1.0.2 and NoMachine version 8.9.1. We set up our jails for nxd and nxauth following NoMachine KB AR05P00983. We modified the max retry for nxauth for 4 and the find time to be 20 minutes. Fail2ban finds IPs for failed passwords in the logs (strangely for nxd and not nxauth?), but does not issue a ban after more than 4 failed attempts:

    2023-11-27 09:41:23,457 fail2ban.server         [2457454]: INFO    Starting Fail2ban v1.0.2
    2023-11-27 09:41:23,458 fail2ban.observer       [2457454]: INFO    Observer start…
    2023-11-27 09:41:23,464 fail2ban.database       [2457454]: INFO    Connected to fail2ban persistent database ‘/var/lib/fail2ban/fail2ban.sqlite3’
    2023-11-27 09:41:23,465 fail2ban.jail           [2457454]: INFO    Creating new jail ‘sshd’
    2023-11-27 09:41:23,475 fail2ban.jail           [2457454]: INFO    Jail ‘sshd’ uses systemd {}
    2023-11-27 09:41:23,475 fail2ban.jail           [2457454]: INFO    Initiated ‘systemd’ backend
    2023-11-27 09:41:23,476 fail2ban.filter         [2457454]: INFO      maxLines: 1
    2023-11-27 09:41:23,493 fail2ban.filtersystemd  [2457454]: INFO    [sshd] Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
    2023-11-27 09:41:23,493 fail2ban.filter         [2457454]: INFO      maxRetry: 4
    2023-11-27 09:41:23,493 fail2ban.filter         [2457454]: INFO      findtime: 1200
    2023-11-27 09:41:23,493 fail2ban.actions        [2457454]: INFO      banTime: 3600
    2023-11-27 09:41:23,493 fail2ban.filter         [2457454]: INFO      encoding: UTF-8
    2023-11-27 09:41:23,494 fail2ban.jail           [2457454]: INFO    Creating new jail ‘nxauth’
    2023-11-27 09:41:23,502 fail2ban.jail           [2457454]: INFO    Jail ‘nxauth’ uses pyinotify {}
    2023-11-27 09:41:23,507 fail2ban.jail           [2457454]: INFO    Initiated ‘pyinotify’ backend
    2023-11-27 09:41:23,508 fail2ban.datedetector   [2457454]: INFO      date pattern '%Y-%m-%d %H:%M:%S': Year-Month-Day 24hour:Minute:Second
    2023-11-27 09:41:23,509 fail2ban.filter         [2457454]: INFO      maxRetry: 10
    2023-11-27 09:41:23,509 fail2ban.filter         [2457454]: INFO      findtime: 1200
    2023-11-27 09:41:23,509 fail2ban.actions        [2457454]: INFO      banTime: 3600
    2023-11-27 09:41:23,509 fail2ban.filter         [2457454]: INFO      encoding: UTF-8
    2023-11-27 09:41:23,509 fail2ban.filter         [2457454]: INFO    Added logfile: ‘/usr/NX/var/log/nxserver.log’ (pos = 427745, hash = 74bb20d4bbd8dfbfe13e284b63f655490ce383f0)
    2023-11-27 09:41:23,510 fail2ban.jail           [2457454]: INFO    Creating new jail ‘nxd’
    2023-11-27 09:41:23,510 fail2ban.jail           [2457454]: INFO    Jail ‘nxd’ uses pyinotify {}
    2023-11-27 09:41:23,515 fail2ban.jail           [2457454]: INFO    Initiated ‘pyinotify’ backend
    2023-11-27 09:41:23,516 fail2ban.datedetector   [2457454]: INFO      date pattern '%a %b %d %H:%M:%S %Y': DAY MON Day 24hour:Minute:Second Year
    2023-11-27 09:41:23,516 fail2ban.filter         [2457454]: INFO      maxRetry: 20
    2023-11-27 09:41:23,516 fail2ban.filter         [2457454]: INFO      findtime: 5
    2023-11-27 09:41:23,517 fail2ban.actions        [2457454]: INFO      banTime: 86400
    2023-11-27 09:41:23,517 fail2ban.filter         [2457454]: INFO      encoding: UTF-8
    2023-11-27 09:41:23,517 fail2ban.filter         [2457454]: INFO    Added logfile: ‘/usr/NX/var/log/nxd.log’ (pos = 180042, hash = fbdad8065b5931fdc99d9719af00604c8b648b82)
    2023-11-27 09:41:23,518 fail2ban.jail           [2457454]: INFO    Jail ‘sshd’ started
    2023-11-27 09:41:23,520 fail2ban.filtersystemd  [2457454]: INFO    [sshd] Jail is in operation now (process new journal entries)
    2023-11-27 09:41:23,520 fail2ban.jail           [2457454]: INFO    Jail ‘nxauth’ started
    2023-11-27 09:41:23,521 fail2ban.jail           [2457454]: INFO    Jail ‘nxd’ started
    2023-11-27 09:43:44,942 fail2ban.filter         [2457454]: INFO    [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:44
    2023-11-27 09:43:47,978 fail2ban.filter         [2457454]: INFO    [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:47
    2023-11-27 09:43:50,478 fail2ban.filter         [2457454]: INFO    [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:50
    2023-11-27 09:43:54,432 fail2ban.filter         [2457454]: INFO    [sshd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:43:54
    2023-11-27 09:43:54,884 fail2ban.actions        [2457454]: NOTICE  [sshd] Ban xxx.xxx.xxx.xxx
    2023-11-27 09:45:32,284 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:45:32
    2023-11-27 09:46:46,932 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:46
    2023-11-27 09:46:50,199 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:50
    2023-11-27 09:46:54,205 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:54
    2023-11-27 09:46:57,488 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:46:57
    2023-11-27 09:47:01,465 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:01
    2023-11-27 09:47:05,159 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:05
    2023-11-27 09:47:08,947 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:08
    2023-11-27 09:47:12,859 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:12
    2023-11-27 09:47:16,827 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:16
    2023-11-27 09:47:20,519 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:20
    2023-11-27 09:47:25,778 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:25
    2023-11-27 09:47:30,042 fail2ban.filter         [2457454]: INFO    [nxd] Found xxx.xxx.xxx.xxx – 2023-11-27 09:47:30

    From the above, you can see that it does issue bans for the SSHD jail, so that is working as expected. Here are the conf files for this host:

    [root@localhost ~]# cat /etc/fail2ban/jail.local
    #
    # Configure fail2ban to block hosts with 4 failed
    # passwords in 20 minutes. Ban for 1 hour.
    #
    [sshd]
    enabled = true
    bantime = 3600
    findtime = 1200
    maxretry = 4
    action = nftables-allports
    chain = INPUT
    ignoreip = 127.0.0.1/8

    #
    # Configure fail2ban to block hosts with 4 failed
    # passwords in 20 minutes. Ban for 1 hour.
    #
    [nxauth]
    enabled  = true
    port     = 4000
    filter   = nxauth
    logpath  = /usr/NX/var/log/nxserver.log
    maxretry = 4
    findtime = 1200
    bantime = 3600
    action = nftables-allports
    chain = INPUT
    ignoreip = 127.0.0.1/8

    #
    # Configure fail2ban to block DDoS attacks on NoMachine
    # (20 connections in 5 seconds or less). Ban for 1 day.
    #
    [nxd]
    enabled  = true
    port     = 4000
    filter   = nxd
    logpath  = /usr/NX/var/log/nxd.log
    maxretry = 20
    findtime = 5
    bantime = 86400
    action = nftables-allports
    chain = INPUT
    ignoreip = 127.0.0.1/8

    [root@localhost ~]# cat /etc/fail2ban/filter.d/nxd.conf
    #
    # Fail2Ban filter for NoMachine.
    #

    [Definition]

    #
    # Regex matches all accepted NX protocol connections.
    #

    failregex = ^Info: Connection from <HOST> port \d+ accepted on.*$

    ignoreregex =

    datepattern = %%a %%b %%d %%H:%%M:%%S %%Y

    [root@localhost ~]# cat /etc/fail2ban/filter.d/nxauth.conf
    #
    # Fail2Ban filter for NoMachine.
    #

    [Definition]

    #
    # The default regex matches all the supported authentication methods
    # for connections by NX protocol, which are:
    # password   : Password authentication.
    # private-key: Key-based authentication.
    # kerberos   : Kerberos ticket-based authentication.
    #
    # For example, set the regex to match password based authentication
    # method:
    #
    # method=password
    #
    # Most common error messages:
    #
    # Method: password
    # ErrorMsg: Wrong password or login
    #
    # Method: private-key
    # ErrorMsg: Public key not recognized
    # ErrorMsg: Wrong signature
    #
    # Method: kerberos
    # ErrorMsg: Kerberos GSS token is not verified
    # ErrorMsg: Kerberos GSS user is not valid
    # ErrorMsg: Kerberos GSS MIC is not verified
    #

    method=[^’]*
    errorMsg=[^’]*

    failregex = ^.*ERROR! Authentication with ‘.*%(method)s.*’ from host ‘<HOST>’ failed\. Error is ‘%(errorMsg)s’\.$

    ignoreregex =

    datepattern = %%Y-%%m-%%d %%H:%%M:%%S

    We wonder if fail2ban is looking at the nxd conf but not the nxauth conf for failed passwords and therefore the max attempts for nxd in the jail.local (set to 20 to block DoS attacks) is taking effect? Any help would be appreciated.

     

    #46159
    sdungan
    Participant

    Right after posting, I discovered the problem which was some sort of character transaltion error caused by copy/paste that changed the single quotes in the nxauth.conf file into a single quote with a curl, also known as “curly quotes.” Anyway, after correcting this, everything works as expected.

    #46188
    Britgirl
    Participant

    Ok thanks for letting us know.

Viewing 3 posts - 1 through 3 (of 3 total)

This topic was marked as solved, you can't post.