Forum / NoMachine for Linux / Request for log explanations
- This topic has 2 replies, 2 voices, and was last updated 1 year, 8 months ago by Eeel.
-
AuthorPosts
-
April 3, 2023 at 13:04 #43688EeelParticipant
Hello,
I’m running NX NoMachine on Slackware 15
First question:
Every time i connect, in the nxserver.log there is a Warning, can you please explain what does it mean. login is successfull:
25510 25510 2023-04-03 13:36:09 256.361 NXSERVER Connected from remote machine ‘64.208.XXX.XXX’ using protocol ‘NX’.
Info: Handler started with pid 25510 on Mon Apr 3 13:36:09 2023.
Info: Handling connection from 64.208.XXX.XXX port 45528 on Mon Apr 3 13:36:09 2023.
25510 25510 2023-04-03 13:36:24 398.414 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –isadmin myuser’ with pid ‘25543/25543’ finished with exit code 1 after 0,006 seconds.
25510 25510 2023-04-03 13:36:24 400.835 NXSERVER User ‘myuser’ logged in from ‘64.208.XXX.XXX’ using authentication method NX-password.
8590 8590 13:36:24 421.172 Redis: 1 changes in 900 seconds. Saving….
Info: Connection from 64.208.XXX.XXX port 45528 closed on Mon Apr 3 13:36:25 2023.
Info: Handler with pid 25510 terminated on Mon Apr 3 13:36:25 2023.
Second question:
I have in nxserver.log connections, that I suppose are suspicious, around 2 times a day, sometimes more. Can you explain what is this attempt ? IP address change frequently (every two attempt) but always from the same country / ip range. Any explanation and advise are welcome.
26623 26623 2023-04-02 11:39:56 547.099 NXSERVER Connected from remote machine ‘185.122.204.XX’ using protocol ‘NX’.
Info: Handler started with pid 26623 on Sun Apr 2 11:39:56 2023.
Info: Handling connection from 185.122.204.XX port 62221 on Sun Apr 2 11:39:56 2023.
26623 26650 2023-04-02 11:39:56 599.414 DaemonGreeter/DaemonGreeter: ERROR! Invalid client identification ”.
Error: Invalid client identification ”.
Warning: Connection from 185.122.204.XX port 62221 failed on Sun Apr 2 11:39:56 2023.
Warning: Connection error is 22, ‘Invalid argument’.
Info: Handler with pid 26623 terminated on Sun Apr 2 11:39:56 2023.
26623 26623 2023-04-02 11:39:56 599.681 NXSERVER ERROR! Server: Encryptor context not received.
26623 26623 2023-04-02 11:39:56 599.846 NXSERVER Remote machine ‘185.122.204.XX’ disconnected.
Does anyone have a fail2ban regex for this ? By the way any regex other than the two from the documentation are welcome.
April 7, 2023 at 14:46 #43761BritgirlKeymasterHi,
25510 25510 2023-04-03 13:36:24 398.414 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –isadmin myuser’ with pid ‘25543/25543’ finished with exit code 1 after 0,006 seconds.
‘nxexec’ is checking who the user is, in this case, its
--isadmin myuser
, and reports a value on the basis of who that user is: ‘0’ for admin, ‘1’ if it is not admin. By the way, this will be “silenced” in version 9 in the NoMachine standard logs.Your second question…it seems to be a scanning attempt on a non-standard port 62221. NoMachine does not use this port by default. Could it be that this port was previously used by some other service, previously reported as a security issue, and your scanners are checking it?
April 19, 2023 at 10:27 #43930EeelParticipantHi Britgirl,
Thank you for your feedback.
-
AuthorPosts
This topic was marked as solved, you can't post.