dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11860
share rss forum feed


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

2 recommendations

reply to Snowy

Re: How to secure VNC and port 5900

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to SoonerAl

said by SoonerAl:

I would recommend running VNC through a Secure Shell [SSH] tunnel. ....

Absolutely!

Setup instructions here, including for Windows:
VNC tunneled thru SSH
»www.science.smith.edu/~ejensen/vncssh.html
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to angussf

said by angussf:

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.

Not true, I am using a 63 character random password generated at grc.com. Works without fail


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

Yes, that's the problem with that.

Yup. Well port forwarding is just a limited workaround to NAT. The intended purpose is to allow servers to appear as though they're directly on the internet (i.e. open to all comers).

Again if you secure VNC (or whatever) then any bad guys won't be able to get into your LAN box although any and all requests will get to that box (and rejected if you have good authentication).

The choice is up to you.
--
Don't feed trolls--it only makes them grow!


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

1 recommendation

reply to jaynick

said by jaynick:

said by angussf:

said by Snowy:

A strong password generated from something such as
»www.grc.com/passwords.htm
would go a long way.

Unfortunately VNC only supports 8-character passwords.

Not true, I am using a 63 character random password generated at grc.com. Works without fail

Yikes, an 8 character limit, angussf See Profile may be correct about that.
What you might be seeing is VNC recognizing the first 8 characters & abandoning the balance of the string.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to StuartMW

Bottom line is that all those entries were probes and attempts but not actual access. Correct? and a 63 char random password like I use for my wireless key would be as secure as it could get other than using other ways like mentioned above?



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to Snowy

OMG! is that what it's doing? so much for that idea. Let me look into ssh tunnel...Thanks much folks for all the kind help.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to jaynick

said by jaynick:

Bottom line is that all those entries were probes and attempts but not actual access. Correct?

Correct.

As for passwords it really depends if all 63 chars are being used as angussf See Profile pointed out.
--
Don't feed trolls--it only makes them grow!


RickNY
Premium
join:2000-11-02
Farmingville, NY
Reviews:
·Optimum Online
reply to jaynick

Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Howto use SSH local and remote port forwarding
--
Don't feed trolls--it only makes them grow!


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to jaynick

said by jaynick:

I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.

You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to RickNY

said by RickNY:

Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD.

Yes, thanks, that's where I am headed.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast
reply to dave

said by dave:

said by jaynick:

I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.

You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern.

Thanks, dave See Profile, yes I got it now and headed to different solution for remote access(ssh).


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2

1 edit
reply to angussf

You are correct, it was dropping the remaining characters....it fooled me.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

I believe Microsoft does the same thing with Hotmail passwords.

»Hotmail No Longer Accepts Long Passwords, Shortens Them...
--
Don't feed trolls--it only makes them grow!



alphapointe
Don't Touch Me
Premium,MVM
join:2002-02-10
Columbia, MO
kudos:2
Reviews:
·Socket Internet ..

1 recommendation

reply to jaynick

I use Logmein to the windows boxes, and SSH-tunnelled-VNC to the linux boxes when I'm outside the LAN. I get the occasional idiot that wants to try to brute-force my SSHd server, but I just block his IP (or entire netblock...) in the router.

I also drop traffic from quite a few countries that have no business connecting to me, and it's kept my portscan, bogus SIP attempts, and spam (I run my own SMTP server) levels very low...
--
"When the hammer drops, the bullshit stops"



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to StuartMW

I saw that, that's a shame.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
Reviews:
·Comcast

1 recommendation

reply to alphapointe

F1B3 is setup for that(ssh-tunnel). No worries on that machine. Thanks to parkut See Profile


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to jaynick

As others have said, the router log entry was a successful connection on port 5900, but it does NOT mean someone
was able to login via VNC. I don't know if it supports it, but if VNC or the machine itself permits a log of successful
logins, set it up so you can keep track of VNC attempts.

I also like StuartMW's suggestion of limit the source IP addresses able to access VNC to a specific subset.

You've done all you can at the network layer to secure stuff, you also have to keep in mind about application layer
security as well.

Regards



TheTechGuru

join:2004-03-25
TEXAS
kudos:2
reply to jaynick

I would setup a PPTP VPN (get a router that has it built it) and just connect to the VPN server (in the router) which then will put you on the LAN remotely then connect to the VNC.
--
CompTIA Network+ Certified



mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to jaynick

One other thing that could be done is.
You have to set an account to be used for the remote control access and that user must be who logs in.

So edit you policy using the windows policy editor to make it hard on a hacker. After he fails to enter the correct password three times the account logon is locked for one hour. Even an eight char password will work for that and since you know the password this should not be a problem for you but a big problem for the hacker.



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

1 edit

1 recommendation

reply to jaynick


You can make it as complicated as you want using SSH tunneling or a VPN, etc... or you can just use the built in features in UltraVNC. That is of course if your computers run on Windows.

UltraVNC already has a feature that allows you to use their DSM plugin (Data Stream Modification) for 128 bit encryption using an RC4 random key. No additional software needed. It will even let you generate a random RC4 key right within the admin properties.

You generate the key and keep one copy on the server and one on the client. If the key is not present on both computers, the connection fails, period.

If the key is present on both, they connect but you still need to login with a password. To bypass the 8 character password limit simply require MS Logon, in which case you can choose one of the users on the server and give it access. The access could even be limited to view only or interact or full access. It could even be a guest account. Your choice. And of course that account could have a very very long password too as opposed to just 8 characters. Not that it's really necessary when you're using the RC4 key.
--
You can catch the Devil, but you can't hold him long.



angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

@Wildcatboy -- you are right about Ultr@VNC being able to use encryption plugins. Unfortunately Ultr@VNC is Windows-only, so if you want to use VNC to control a Mac or a Linux or a *BSD box, you must use some other flavour of VNC tunnelled over SSH or through a VPN for security.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to jaynick

Thanks much everyone for all the great help here. I am giving logmein a try for now on the windows machines, no need to open any ports and seems secure and simple.



David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
reply to jaynick

did you go with hamachi?



stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA
reply to jaynick

I am another that tunnels VNC over SSH. My SSH is configured to use a certificate, so no way to hack the password and I have fail2ban running to block IPs trying to get into my SSH. Three fails and you're blocked for an hour.



Da Geek Kid

join:2003-10-11
::1
kudos:1

1 edit

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Also, has anyone looked @ freeNX/NoMachine... Works great.



stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA

said by Da Geek Kid:

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Once or twice I have had keyboard issues and have locked myself out (there is a "password" on the cert). I consider one hour enough punishment for myself. . If they continue to try to get in they get blocked all over again.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to David

said by David:

did you go with hamachi?

The free version.


not

@comcast.net

Or you could just use LogMeIn Free and be done with it, including having to configure any port forwarding, etc. Easy, secure, and you can even use it on mobile devices if need be. Much better solution than VNC in my opinion.