[FreeNX-kNX] Re: Problem with Nx, Fluxbox and suspended sessions
chris at ccburton.com
chris at ccburton.com
Wed May 18 14:15:00 UTC 2011
Marco Passerini <marco.passerini at csc.fi> wrote on 18/05/2011 14:55:20:
> Ah in addition to this, I remembered the reason why I chose to use SU
> authentication (I have short memory and I was setting up the box a while
> ago ;D ):
>
> I wanted to restrict the users which are able to login with SSH, and I
> did it by adding the following line to /etc/ssh/sshd_config :
> AllowGroups sshadm
>
> And the following user group:
> sshadm:x:901:myusername,nx
Hmmm, see below . . .
>
> This setup breaks in case of SSH authentication within NX, it only works
> with SU.
>
> On 05/18/2011 03:58 PM, Marco Passerini wrote:
> > The idea of a second sshd on the internal network sounds good!
I didn't explain very well . . . . .
I have an sshd listening on external interface(s) on port (say) 100 with
authentication only
PubkeyAutentication yes
and two users,
AllowUsers me-myself-I nx
and
another sshd listening on port 22 on 127.0.0.1 only with
PasswordAuthentication yes
and
AllowGroups nxuserbase
> >
> > I configured Fail2ban to block the brute forces on SSH but also those
> > users who know the shared key and try to brute force NX with that.
> >
> > /etc/fail2ban/jail.conf contains the following entry:
> >
> > [freenx-tcpwrapper]
> > enabled = true
> > filter = freenx
> > action = hostsdeny
> > sendmail-whois[name=FreeNX, sender=hostemail at email.com,
> > dest=myemail at email.com]
> > logpath = /var/log/messages
> >
> >
> > Then I created a file /etc/fail2ban/filter.d/freenx.conf
> > [INCLUDES]
> > before = common.conf
> > [Definition]
> > _daemon = nxserver
> > failregex = ^.*\(nx\) Failed login for user=(.*) from IP=<HOST>\s*
> > ignoreregex =
I see how you can block an IP address if there are a number of
password attempts . . .
I also see how this can lock out the NAT Router external IP
from your remote site(s).
I'm not sure how fail2ban stops a user, but surely they are locked
out by password policy anyway ??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20110518/ecc568ac/attachment.html>
More information about the FreeNX-kNX
mailing list