Control NoMachine Ports on Firewall

In this blog post, you will learn how to control NoMachine ports on Firewall. If you have been using NoMachine, you might have realized that its default NX server port 4000/tcp is listening on all system interfaces and is accessible to anyone even if firewall is running on the system. This poses a risk whereby anyone can connect to the service remotely and hence, call for a need to allow only specific trusted IPs to access the port.

Let us learn how you can control this situation to only allow the port to be accessible from specific system IPs.

Controlling NoMachine Ports using System Firewall

As stated above, the NoMachine server port 4000/tcp is accessible even if firewall is running.

In my test system, UFW is running and no port is opened on the firewall;

ufw status
Status: active

To confirm that UFW is running and blocking, we can try to test the connection to SSH port from a different server;

Confirm that the ssh service is running on a remote desktop system running NoMachine server;

netstat -altnp | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      571/sshd: /usr/sbin 
tcp6       0      0 :::22                   :::*                    LISTEN      571/sshd: /usr/sbin

Now, from one of the external systems, let us try to connect to SSH port to verify that UFW is running and blocking connections;

nc -vn 192.168.57.26 22

Sample output showing the port connections is blocked by firewall;

(UNKNOWN) [192.168.57.26] 22 (ssh) : Connection timed out

Now, try to test the connection to NoMachine server port;

nc -vnz 192.168.57.26 4000
(UNKNOWN) [192.168.57.26] 4000 (?) open

Try telnet;

telnet 192.168.57.26 4000
Trying 192.168.57.26...
Connected to 192.168.57.26.
Escape character is '^]'.

Using System Firewall to Control NoMachine Ports

According the NoMachine configuration file, usually, BaseDirectory/etc/server.cfg, the NoMachine server automatically configures the firewall for all of its configured services.

The NoMachine configuration option for controlling the firewalling of its configured servers is EnableFirewallConfiguration.

This option can take two values;

  • 1: NoMachine is enabled to automatically control the firewalling of its services. This is the default setting.
  • 0: NoMachine is disabled from automatically controlling firewalling of its services and Firewall must be configured manually.

So now, open the NoMachine server configuration file, and update the value for the EnableFirewallConfiguration configuration option.

vim /usr/NX/etc/server.cfg
...
# EnableFirewallConfiguration 1
EnableFirewallConfiguration 0

Save and exit the configuration file.

Restart NoMachine Server

Restart NoMachine server to effect the changes.

You can restart from the UI or restart from the command line by running the command below;

/usr/NX/bin/nxserver --restart

Verify Connection to NoMachine Port

Once you have update the configuration, try to connect to the port. This time round, no connection should go through;

telnet 192.168.57.26 4000
Trying 192.168.57.26...
telnet: Unable to connect to remote host: Connection timed out
nc -vnz 192.168.57.26 4000
(UNKNOWN) [192.168.57.26] 4000 (?) : Connection timed out

And you can now allow specific IPs to connect to NoMachine server.

For example, on UFW, you would simply use the command below;

ufw allow from 192.168.57.33 to any port 4000 proto tcp

check status

ufw status
Status: active

To                         Action      From
--                         ------      ----
4000/tcp                   ALLOW       192.168.57.33

Test connection from the whitelisted IP;

telnet 192.168.57.26 4000
Trying 192.168.57.26...
Connected to 192.168.57.26.
Escape character is '^]'.

Test the port connection from another host not whitelisted;

telnet 192.168.57.26 4000
Trying 192.168.57.26...
telnet: Unable to connect to remote host: Connection timed out

And there you go.

Related Tutorials

Install NoMachine on Ubuntu 20.04

Install NoMachine Remote Desktop Tool on Kali Linux 2020

Install NoMachine Remote Desktop Tool on Fedora 32/31/30

Install and Setup NoMachine on CentOS 8

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment