In this blog post, you will learn how to control NoMachine ports on Firewall. If you have been using NoMachine, you might have realized that its default NX server port 4000/tcp is listening on all system interfaces and is accessible to anyone even if firewall is running on the system. This poses a risk whereby anyone can connect to the service remotely and hence, call for a need to allow only specific trusted IPs to access the port.
Let us learn how you can control this situation to only allow the port to be accessible from specific system IPs.
Controlling NoMachine Ports using System Firewall
As stated above, the NoMachine server port 4000/tcp is accessible even if firewall is running.
In my test system, UFW is running and no port is opened on the firewall;
ufw statusStatus: activeTo confirm that UFW is running and blocking, we can try to test the connection to SSH port from a different server;
Confirm that the ssh service is running on a remote desktop system running NoMachine server;
netstat -altnp | grep 22tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 571/sshd: /usr/sbin
tcp6 0 0 :::22 :::* LISTEN 571/sshd: /usr/sbinNow, from one of the external systems, let us try to connect to SSH port to verify that UFW is running and blocking connections;
nc -vn 192.168.57.26 22Sample output showing the port connections is blocked by firewall;
(UNKNOWN) [192.168.57.26] 22 (ssh) : Connection timed outNow, try to test the connection to NoMachine server port;
nc -vnz 192.168.57.26 4000(UNKNOWN) [192.168.57.26] 4000 (?) openTry telnet;
telnet 192.168.57.26 4000Trying 192.168.57.26...
Connected to 192.168.57.26.
Escape character is '^]'.
Using System Firewall to Control NoMachine Ports
According the NoMachine configuration file, usually, BaseDirectory/etc/server.cfg, the NoMachine server automatically configures the firewall for all of its configured services.
The NoMachine configuration option for controlling the firewalling of its configured servers is EnableFirewallConfiguration.
This option can take two values;
1: NoMachine is enabled to automatically control the firewalling of its services. This is the default setting.0: NoMachine is disabled from automatically controlling firewalling of its services and Firewall must be configured manually.
So now, open the NoMachine server configuration file, and update the value for the EnableFirewallConfiguration configuration option.
vim /usr/NX/etc/server.cfg...
# EnableFirewallConfiguration 1
EnableFirewallConfiguration 0Save and exit the configuration file.
Restart NoMachine Server
Restart NoMachine server to effect the changes.
You can restart from the UI or restart from the command line by running the command below;
/usr/NX/bin/nxserver --restartVerify Connection to NoMachine Port
Once you have update the configuration, try to connect to the port. This time round, no connection should go through;
telnet 192.168.57.26 4000Trying 192.168.57.26...
telnet: Unable to connect to remote host: Connection timed outnc -vnz 192.168.57.26 4000(UNKNOWN) [192.168.57.26] 4000 (?) : Connection timed outAnd you can now allow specific IPs to connect to NoMachine server.
For example, on UFW, you would simply use the command below;
ufw allow from 192.168.57.33 to any port 4000 proto tcpcheck status
ufw statusStatus: active
To Action From
-- ------ ----
4000/tcp ALLOW 192.168.57.33Test connection from the whitelisted IP;
telnet 192.168.57.26 4000Trying 192.168.57.26...
Connected to 192.168.57.26.
Escape character is '^]'.Test the port connection from another host not whitelisted;
telnet 192.168.57.26 4000Trying 192.168.57.26...
telnet: Unable to connect to remote host: Connection timed outAnd there you go.
Related Tutorials
Install NoMachine on Ubuntu 20.04
Install NoMachine Remote Desktop Tool on Kali Linux 2020
