{"id":8268,"date":"2021-03-17T23:40:39","date_gmt":"2021-03-17T20:40:39","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8268"},"modified":"2024-03-19T18:50:44","modified_gmt":"2024-03-19T15:50:44","slug":"control-nomachine-ports-on-firewall","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/control-nomachine-ports-on-firewall\/","title":{"rendered":"Control NoMachine Ports on Firewall"},"content":{"rendered":"\n<p>In this blog post, you will learn how to control <a aria-label=\"NoMachine (opens in a new tab)\" href=\"https:\/\/www.nomachine.com\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">NoMachine<\/a>  ports on Firewall. If you have been using NoMachine, you might have realized that its default  NX server port 4000\/tcp is listening on all system interfaces and is accessible to anyone even if firewall is running on the system. This poses a risk whereby anyone can connect to the service remotely and hence, call for a need to allow only specific trusted IPs to access the port.<\/p>\n\n\n\n<p>Let us learn how you can control this situation to only allow the port to be accessible from specific system IPs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Controlling NoMachine Ports using System Firewall<\/h2>\n\n\n\n<p>As stated above, the NoMachine server port 4000\/tcp is accessible even if firewall is running.<\/p>\n\n\n\n<p>In my test system, UFW is running and no port is opened on the firewall;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw status<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Status: active<\/code><\/pre>\n\n\n\n<p>To confirm that UFW is running and blocking, we can try to test the connection to SSH port from a different server;<\/p>\n\n\n\n<p>Confirm that the ssh service is running on a remote desktop system running NoMachine server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>netstat -altnp | grep 22<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      571\/sshd: \/usr\/sbin \ntcp6       0      0 :::22                   :::*                    LISTEN      571\/sshd: \/usr\/sbin<\/code><\/pre>\n\n\n\n<p>Now, from one of the external systems, let us try to connect to SSH port to verify that UFW is running and blocking connections;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nc -vn 192.168.57.26 22<\/code><\/pre>\n\n\n\n<p>Sample output showing the port connections is blocked by firewall;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(UNKNOWN) &#91;192.168.57.26] 22 (ssh) : Connection timed out<\/code><\/pre>\n\n\n\n<p>Now, try to test the connection to NoMachine server port;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nc -vnz 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>(UNKNOWN) &#91;192.168.57.26] 4000 (?) open<\/code><\/pre>\n\n\n\n<p>Try telnet;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>telnet 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.57.26...\nConnected to 192.168.57.26.\nEscape character is '^]'.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Using System Firewall to Control NoMachine Ports<\/h3>\n\n\n\n<p>According the NoMachine configuration file, usually, <code><strong>BaseDirectory\/etc\/server.cfg<\/strong><\/code>, the NoMachine server automatically configures the firewall for all of its configured services.<\/p>\n\n\n\n<p>The NoMachine configuration option for controlling the firewalling of its configured servers is <code><strong>EnableFirewallConfiguration<\/strong><\/code>.<\/p>\n\n\n\n<p>This option can take two values;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>1<\/code><\/strong>: NoMachine is enabled to automatically control the firewalling of its services. This is the default setting.<\/li>\n\n\n\n<li><strong><code>0<\/code><\/strong>: NoMachine is disabled from automatically controlling firewalling of its services and Firewall must be configured manually.<\/li>\n<\/ul>\n\n\n\n<p>So now, open the NoMachine server configuration file, and update the value for the <code><strong>EnableFirewallConfiguration<\/strong><\/code> configuration option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/NX\/etc\/server.cfg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n# EnableFirewallConfiguration 1\n<strong>EnableFirewallConfiguration 0<\/strong><\/code><\/pre>\n\n\n\n<p>Save and exit the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Restart NoMachine Server<\/h3>\n\n\n\n<p>Restart NoMachine server to effect the changes.<\/p>\n\n\n\n<p>You can restart from the UI or restart from the command line by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/NX\/bin\/nxserver --restart<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify Connection to NoMachine Port<\/h3>\n\n\n\n<p>Once you have update the configuration, try to connect to the port. This time round, no connection should go through;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>telnet 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.57.26...\ntelnet: Unable to connect to remote host: Connection timed out<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>nc -vnz 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>(UNKNOWN) [192.168.57.26] 4000 (?) : Connection timed out<\/code><\/pre>\n\n\n\n<p>And you can now allow specific IPs to connect to NoMachine server.<\/p>\n\n\n\n<p>For example, on UFW, you would simply use the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow from 192.168.57.33 to any port 4000 proto tcp<\/code><\/pre>\n\n\n\n<p>check status<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw status<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Status: active\n\nTo                         Action      From\n--                         ------      ----\n4000\/tcp                   ALLOW       192.168.57.33<\/code><\/pre>\n\n\n\n<p>Test connection from the whitelisted IP;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>telnet 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.57.26...\nConnected to 192.168.57.26.\nEscape character is '^]'.<\/code><\/pre>\n\n\n\n<p>Test the port connection from another host not whitelisted;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>telnet 192.168.57.26 4000<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Trying 192.168.57.26...\ntelnet: Unable to connect to remote host: Connection timed out<\/code><\/pre>\n\n\n\n<p>And there you go.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-nomachine-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install NoMachine on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-nomachine-remote-desktop-tool-on-kali-linux-2020\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install NoMachine Remote Desktop Tool on Kali Linux 2020<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-nomachine-remote-desktop-tool-on-fedora-32-31-30\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install NoMachine Remote Desktop Tool on Fedora 32\/31\/30<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-nomachine-on-centos-8\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install and Setup NoMachine on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, you will learn how to control NoMachine ports on Firewall. If you have been using NoMachine, you might have realized that<\/p>\n","protected":false},"author":1,"featured_media":8288,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[214,993,121],"tags":[3280,3275,3279,3276,11,3274,3277,3278],"class_list":["post-8268","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-remote-desktop","category-desktop-environment","category-howtos","tag-access-nomachine-from-specific-ips","tag-allow-specific-ips-to-access-nomachine","tag-control-nomachine-ports-on-firewall","tag-enablefirewallconfiguration","tag-firewall","tag-nomachine-firewall","tag-nomachine-port-4000","tag-ufw","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8268"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8268"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8268\/revisions"}],"predecessor-version":[{"id":21899,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8268\/revisions\/21899"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8288"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}