 angussfPremium
join:2002-01-11
Tucson, AZ
kudos:4 | reply to Snowy
Re: How to secure VNC and port 5900 Unfortunately VNC only supports 8-character passwords. |
|
angussfPremium
join:2002-01-11
Tucson, AZ
kudos:4 | reply to SoonerAl
said by SoonerAl:I would recommend running VNC through a Secure Shell [SSH] tunnel. .... Absolutely!
Setup instructions here, including for Windows:
VNC tunneled thru SSH
»www.science.smith.edu/~ejensen/vncssh.html
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/ |
|
 jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2
 ·Comcast
| reply to angussf
said by angussf:Unfortunately VNC only supports 8-character passwords. Not true, I am using a 63 character random password generated at grc.com. Works without fail |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| reply to jaynick
said by jaynick:Yes, that's the problem with that.
Yup. Well port forwarding is just a limited workaround to NAT. The intended purpose is to allow servers to appear as though they're directly on the internet (i.e. open to all comers).
Again if you secure VNC (or whatever) then any bad guys won't be able to get into your LAN box although any and all requests will get to that box (and rejected if you have good authentication).
The choice is up to you.
--
Don't feed trolls--it only makes them grow! |
|
|
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
·RoadRunner Cable
 ·Clearwire Wireless
| reply to jaynick
said by jaynick:said by angussf:Unfortunately VNC only supports 8-character passwords. Not true, I am using a 63 character random password generated at grc.com. Works without fail Yikes, an 8 character limit, angussf  may be correct about that.
What you might be seeing is VNC recognizing the first 8 characters & abandoning the balance of the string. |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | reply to StuartMW
Bottom line is that all those entries were probes and attempts but not actual access. Correct? and a 63 char random password like I use for my wireless key would be as secure as it could get other than using other ways like mentioned above? |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
·Comcast
| reply to Snowy
OMG!  is that what it's doing? so much for that idea. Let me look into ssh tunnel...Thanks much folks for all the kind help.  |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to jaynick
said by jaynick:Bottom line is that all those entries were probes and attempts but not actual access. Correct?
Correct.
As for passwords it really depends if all 63 chars are being used as angussf pointed out.
--
Don't feed trolls--it only makes them grow! |
|
 RickNYPremium
join:2000-11-02
Manorville, NY | reply to jaynick
Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 | Howto use SSH local and remote port forwarding
--
Don't feed trolls--it only makes them grow! |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to jaynick
said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.
You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
·Comcast
| reply to RickNY
said by RickNY:Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD.
Yes, thanks, that's where I am headed. |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
·Comcast
| reply to dave
said by dave:said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.
You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. Thanks, dave , yes I got it now and headed to different solution for remote access(ssh). |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2
1 edit | reply to angussf
You are correct, it was dropping the remaining characters....it fooled me. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| I believe Microsoft does the same thing with Hotmail passwords.
»Hotmail No Longer Accepts Long Passwords, Shortens Them...
--
Don't feed trolls--it only makes them grow! |
|
 alphapointeDon't Touch MePremium,MVM
join:2002-02-10
Columbia, MO
kudos:2
·Socket Internet ..
| reply to jaynick
I use Logmein to the windows boxes, and SSH-tunnelled-VNC to the linux boxes when I'm outside the LAN. I get the occasional idiot that wants to try to brute-force my SSHd server, but I just block his IP (or entire netblock...) in the router.
I also drop traffic from quite a few countries that have no business connecting to me, and it's kept my portscan, bogus SIP attempts, and spam (I run my own SMTP server) levels very low...
--
"When the hammer drops, the bullshit stops" |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | reply to StuartMW
I saw that, that's a shame. |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
·Comcast
| reply to alphapointe
F1B3 is setup for that(ssh-tunnel). No worries on that machine.  Thanks to parkut  |
|
| reply to jaynick
As others have said, the router log entry was a successful connection on port 5900, but it does NOT mean someone
was able to login via VNC. I don't know if it supports it, but if VNC or the machine itself permits a log of successful
logins, set it up so you can keep track of VNC attempts.
I also like StuartMW's suggestion of limit the source IP addresses able to access VNC to a specific subset.
You've done all you can at the network layer to secure stuff, you also have to keep in mind about application layer
security as well.
Regards |
|
| reply to jaynick
I would setup a PPTP VPN (get a router that has it built it) and just connect to the VPN server (in the router) which then will put you on the LAN remotely then connect to the VNC.
--
CompTIA Network+ Certified |
|
