Fail2Ban nxd jail – no valid date/time

Forum / NoMachine for Linux / Fail2Ban nxd jail – no valid date/time

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • October 10, 2023 at 00:28 #45631
    sdungan
    Participant

    Hello,

    We are running Fail2Ban 1.0.2 and NoMachine version 8.4.2. We setup our jails for nxd and nxauth following NoMachine KB AR05P00983. Fail2ban finds IPs in the logs but then errors when trying to parse the time format:

    2023-10-01 22:34:42,436 fail2ban.filter         [1545]: INFO    [nxd] Found xx.x.xxx.xxx – 2023-10-01 22:34:42
    2023-10-01 22:34:42,436 fail2ban.filter         [1545]: ERROR   findFailure failed to parse timeText: Sun Oct  1 22:34:42 2023
    2023-10-01 22:34:44,275 fail2ban.filter         [1545]: ERROR   findFailure failed to parse timeText: Sun Oct  1 22:34:44 2023

    It seems clear from the error message that Fail2Ban does not like the time format that NoMachine uses in it’s logs. Fail2Ban allows you to set a custom date pattern in the jail, but that pattern requires knowledge regex and Python. I was hoping that someone else figured this out and can give some pointers?

    Thanks,

    S

     

    October 17, 2023 at 09:40 #45701
    Britgirl
    Keymaster

    Hi,

    what version of Fail2Ban are you using? We have an article that outlines how to configure Fail2Ban with NoMachine which you can consult here: https://kb.nomachine.com/AR05P00983. These changes apply to the latest version of NoMachine, currently 8.9.

    We just updated it to include the change required for Fail2Ban 1.0.2 or later, which are reported below.

    For Fail2Ban v1.0.2 and later, the following changes need to be made:

    ———-
    sudo cat /usr/NX/share/fail2ban/nxauth.conf
    ———-
    #
    # Fail2Ban filter for NoMachine.
    #

    [Definition]

    #
    # The default regex matches all the supported authentication methods
    # for connections by NX protocol, which are:
    # password   : Password authentication.
    # private-key: Key-based authentication.
    # kerberos   : Kerberos ticket-based authentication.
    #
    # For example, set the regex to match password based authentication
    # method:
    #
    # method=password
    #
    # Most common error messages:
    #
    # Method: password
    # ErrorMsg: Wrong password or login
    #
    # Method: private-key
    # ErrorMsg: Public key not recognized
    # ErrorMsg: Wrong signature
    #
    # Method: kerberos
    # ErrorMsg: Kerberos GSS token is not verified
    # ErrorMsg: Kerberos GSS user is not valid
    # ErrorMsg: Kerberos GSS MIC is not verified
    #

    method=[^’]*
    errorMsg=[^’]*

    failregex = ^.*ERROR! Authentication with ‘.*%(method)s.*’ from host ‘<HOST>’ failed\. Error is ‘%(errorMsg)s’\.$

    ignoreregex =

    datepattern = %%Y-%%m-%%d %%H:%%M:%%S

    ———–
    sudo cat /usr/NX/share/fail2ban/nxd.conf
    ———–
    #
    # Fail2Ban filter for NoMachine.
    #

    [Definition]

    #
    # Regex matches all accepted NX protocol connections.
    #

    failregex = ^Info: Connection from <HOST> port \d+ accepted on.*$

    ignoreregex =

    datepattern = %%a %%b %%d %%H:%%M:%%S %%Y

    October 17, 2023 at 17:32 #45709
    sdungan
    Participant

    Hi.

    We are running fail2ban version 1.02 and making the changes you posted seems to fix the problem.

    Thanks!

    -S

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)

This topic was marked as solved, you can't post.