Broadband Tech > Security > Security > How to secure VNC and port 5900

How to secure VNC and port 5900

Ultra VNC supports encryption (and authentication).

reply to jaynick
A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

reply to jaynick
I would recommend running VNC through a Secure Shell [SSH] tunnel. Setup a SSH server on one of your servers and use SSH Port Forwarding to control all three of the machines. In the past I used the free CopSSH server package and Tunnelier as the client. Both are free for personal use.

»www.itefix.no/i2/copssh
»www.bitvise.com/tunnelier

Others may recommend PuTTY as the client...

»www.chiark.greenend.org.uk/~sgtatham/putty/

The advantage of SSH is you open one hole in your firewall and can access all three machines. With the use of a public/private key pair protected by a strong password your very safe.

reply to jaynick
Thanks folks I will check out the tips. I am using putty for access to the Linux machine. I'll look into the ssh server. I was using a random 12 character password that I made up but it didn't help.

reply to jaynick
What's your security concern, specifically?

No doubt about it: making it possible to log in to a machine from the internet, where it was previously possible to do so, is a lessening of security. Unavoidably so.

So, the concern must be to reduce the risk. Strong passwords will help prevent anyone else from logging in. Encryption will help prevent anyone else from sniffing traffic.

I'm not sure what you meant by posting the log extract. The log tells you that some remote station tried to access your PC. That shouldn't surprise you: it's what you wanted to allow. Is 211.43.213.64 you or is it someone else probing your router?

reply to jaynick

reply to dave
The concern was that IP is not me, it's from Asia. I was hoping it was just a probe but log said LAN access.

Yes, a machine on the internet is trying to access a machine on your LAN. That's what the router log means.

By port forwarding port 5900 to a machine on your LAN you're opening it up to everyone. You implied you understood that with you initial post.

What others have been trying to point out is is that your solution is to use secure VNC connections to that LAN machine.

Your choice is to do that (and have people try and hack it) or disallow all access from the internet. Your choice.
--
Don't feed trolls--it only makes them grow!

That's what I am trying to find out (a better alternative). I took the log entry to mean a successful access attempt.

reply to jaynick
the router log however does not indicate if they gained successful access to the machines only that the connect was attempted.

That said you could cycle the port forwarding, Unless you always need them any time you are out no matter what I would shut the forwarding off unless you are sure you will need to remote into home.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports

reply to jaynick

reply to Kearnstd
Yes, I turned off forwarding as soon as I saw the log.

reply to StuartMW
I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.

The only thing I can think of, offhand, is to

• Enable port forwarding for 5900.

• Create a firewall rule to block (or only allow) port 5900 accesses from the internet for a single or small range of IP's.

Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through.
--
Don't feed trolls--it only makes them grow!

reply to jaynick
why not install logmein hamachi on the machine... It's free and secured.

reply to StuartMW