dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10058
share rss forum feed


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast

How to secure VNC and port 5900

I installed a VNC server on my LAN machines so I can control them from one computer as 3 are dedicated crunchers without any peripherals. Works well on the LAN but to use it away from home I need to forward port 5900 to a machine in the router. That is a security hole. How can that be made secure or can it be? Hope this makes sense.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:8

Ultra VNC supports encryption (and authentication).



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast

said by Brano:

Ultra VNC supports encryption (and authentication).

Real VNC is supposed to also but got this in the routers log:
[LAN access from remote] from 211.43.213.64:37106 to 192.168.1.x:5900, Monday, Dec 03,2012 08:39:39


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
reply to jaynick

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

1 recommendation

reply to jaynick

I would recommend running VNC through a Secure Shell [SSH] tunnel. Setup a SSH server on one of your servers and use SSH Port Forwarding to control all three of the machines. In the past I used the free CopSSH server package and Tunnelier as the client. Both are free for personal use.

»www.itefix.no/i2/copssh
»www.bitvise.com/tunnelier

Others may recommend PuTTY as the client...

»www.chiark.greenend.org.uk/~sgtatham/putty/

The advantage of SSH is you open one hole in your firewall and can access all three machines. With the use of a public/private key pair protected by a strong password your very safe.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to jaynick

Thanks folks I will check out the tips. I am using putty for access to the Linux machine. I'll look into the ssh server. I was using a random 12 character password that I made up but it didn't help.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by jaynick:

I was using a random 12 character password that I made up but it didn't help.

Didn't help what???
--
Don't feed trolls--it only makes them grow!


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast

said by StuartMW:

said by jaynick:

I was using a random 12 character password that I made up but it didn't help.

Didn't help what???

Didn't stop the above mentioned log entry.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to jaynick

What's your security concern, specifically?

No doubt about it: making it possible to log in to a machine from the internet, where it was previously possible to do so, is a lessening of security. Unavoidably so.

So, the concern must be to reduce the risk. Strong passwords will help prevent anyone else from logging in. Encryption will help prevent anyone else from sniffing traffic.

I'm not sure what you meant by posting the log extract. The log tells you that some remote station tried to access your PC. That shouldn't surprise you: it's what you wanted to allow. Is 211.43.213.64 you or is it someone else probing your router?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

Didn't stop the above mentioned log entry.

That log entry is just telling you that a remote host (on the internet) is accessing a machine on your LAN using port 5900. That is exactly what you're trying to do. What is the problem?
--
Don't feed trolls--it only makes them grow!


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to dave

The concern was that IP is not me, it's from Asia. I was hoping it was just a probe but log said LAN access.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Yes, a machine on the internet is trying to access a machine on your LAN. That's what the router log means.

By port forwarding port 5900 to a machine on your LAN you're opening it up to everyone. You implied you understood that with you initial post.

What others have been trying to point out is is that your solution is to use secure VNC connections to that LAN machine.

Your choice is to do that (and have people try and hack it) or disallow all access from the internet. Your choice.
--
Don't feed trolls--it only makes them grow!



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2

That's what I am trying to find out (a better alternative). I took the log entry to mean a successful access attempt.


Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to jaynick

the router log however does not indicate if they gained successful access to the machines only that the connect was attempted.

That said you could cycle the port forwarding, Unless you always need them any time you are out no matter what I would shut the forwarding off unless you are sure you will need to remote into home.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

I took the log entry to mean a successful access attempt.

No. Your router is just telling you that the IP (on the internet) is trying to access this IP on your LAN. That doesn't mean success or failure. VNC should be able to log access attempts.
--
Don't feed trolls--it only makes them grow!


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to Kearnstd

Yes, I turned off forwarding as soon as I saw the log.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to StuartMW

I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

The only thing I can think of, offhand, is to

• Enable port forwarding for 5900.

• Create a firewall rule to block (or only allow) port 5900 accesses from the internet for a single or small range of IP's.

Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through.
--
Don't feed trolls--it only makes them grow!



David
hours are m-th 1130-10p central
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:96

1 recommendation

reply to jaynick

why not install logmein hamachi on the machine... It's free and secured.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to StuartMW

said by StuartMW:

Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through.

Yes, that's the problem with that.


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

2 recommendations

reply to Snowy

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to SoonerAl

said by SoonerAl:

I would recommend running VNC through a Secure Shell [SSH] tunnel. ....

Absolutely!

Setup instructions here, including for Windows:
VNC tunneled thru SSH
»www.science.smith.edu/~ejensen/vncssh.html
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to angussf

said by angussf:

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.

Not true, I am using a 63 character random password generated at grc.com. Works without fail


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

Yes, that's the problem with that.

Yup. Well port forwarding is just a limited workaround to NAT. The intended purpose is to allow servers to appear as though they're directly on the internet (i.e. open to all comers).

Again if you secure VNC (or whatever) then any bad guys won't be able to get into your LAN box although any and all requests will get to that box (and rejected if you have good authentication).

The choice is up to you.
--
Don't feed trolls--it only makes them grow!


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

reply to jaynick

said by jaynick:

said by angussf:

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.

Not true, I am using a 63 character random password generated at grc.com. Works without fail

Yikes, an 8 character limit, angussf See Profile may be correct about that.
What you might be seeing is VNC recognizing the first 8 characters & abandoning the balance of the string.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to StuartMW

Bottom line is that all those entries were probes and attempts but not actual access. Correct? and a 63 char random password like I use for my wireless key would be as secure as it could get other than using other ways like mentioned above?



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to Snowy

OMG! is that what it's doing? so much for that idea. Let me look into ssh tunnel...Thanks much folks for all the kind help.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

Bottom line is that all those entries were probes and attempts but not actual access. Correct?

Correct.

As for passwords it really depends if all 63 chars are being used as angussf See Profile pointed out.
--
Don't feed trolls--it only makes them grow!


RickNY
Premium
join:2000-11-02
Farmingville, NY
Reviews:
·Optimum Online
reply to jaynick

Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Howto use SSH local and remote port forwarding
--
Don't feed trolls--it only makes them grow!