dave Premium Member join:2000-05-04 not in ohio
1 recommendation |
to jaynick
Re: How to secure VNC and port 5900said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches. You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. |
|
jaynicklit up Premium Member join:2001-02-06 Sterling Heights, MI |
to RickNY
said by RickNY:Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD. Yes, thanks, that's where I am headed. |
|
jaynick |
to dave
said by dave:said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches. You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. Thanks, dave , yes I got it now and headed to different solution for remote access(ssh). |
|
jaynick 1 edit |
to angussf
You are correct, it was dropping the remaining characters....it fooled me. |
|
|
StuartMW
Premium Member
2012-Dec-3 8:39 pm
I believe Microsoft does the same thing with Hotmail passwords. » Hotmail No Longer Accepts Long Passwords, Shortens Them... |
|
alphapointeDon't Touch Me MVM join:2002-02-10 Columbia, MO
1 recommendation |
to jaynick
I use Logmein to the windows boxes, and SSH-tunnelled-VNC to the linux boxes when I'm outside the LAN. I get the occasional idiot that wants to try to brute-force my SSHd server, but I just block his IP (or entire netblock...) in the router.
I also drop traffic from quite a few countries that have no business connecting to me, and it's kept my portscan, bogus SIP attempts, and spam (I run my own SMTP server) levels very low... |
|
jaynicklit up Premium Member join:2001-02-06 Sterling Heights, MI |
to StuartMW
I saw that, that's a shame. |
|
jaynick
1 recommendation |
to alphapointe
F1B3 is setup for that(ssh-tunnel). No worries on that machine. Thanks to parkut |
|
1 recommendation |
to jaynick
As others have said, the router log entry was a successful connection on port 5900, but it does NOT mean someone was able to login via VNC. I don't know if it supports it, but if VNC or the machine itself permits a log of successful logins, set it up so you can keep track of VNC attempts.
I also like StuartMW's suggestion of limit the source IP addresses able to access VNC to a specific subset.
You've done all you can at the network layer to secure stuff, you also have to keep in mind about application layer security as well.
Regards |
|
|
to jaynick
I would setup a PPTP VPN (get a router that has it built it) and just connect to the VPN server (in the router) which then will put you on the LAN remotely then connect to the VNC. |
|
|
to jaynick
One other thing that could be done is. You have to set an account to be used for the remote control access and that user must be who logs in.
So edit you policy using the windows policy editor to make it hard on a hacker. After he fails to enter the correct password three times the account logon is locked for one hour. Even an eight char password will work for that and since you know the password this should not be a problem for you but a big problem for the hacker. |
|
|
1 edit
1 recommendation |
to jaynick
You can make it as complicated as you want using SSH tunneling or a VPN, etc... or you can just use the built in features in UltraVNC. That is of course if your computers run on Windows.
UltraVNC already has a feature that allows you to use their DSM plugin (Data Stream Modification) for 128 bit encryption using an RC4 random key. No additional software needed. It will even let you generate a random RC4 key right within the admin properties.
You generate the key and keep one copy on the server and one on the client. If the key is not present on both computers, the connection fails, period.
If the key is present on both, they connect but you still need to login with a password. To bypass the 8 character password limit simply require MS Logon, in which case you can choose one of the users on the server and give it access. The access could even be limited to view only or interact or full access. It could even be a guest account. Your choice. And of course that account could have a very very long password too as opposed to just 8 characters. Not that it's really necessary when you're using the RC4 key.
|
|
angussf Premium Member join:2002-01-11 Tucson, AZ |
angussf
Premium Member
2012-Dec-4 7:31 am
@Wildcatboy -- you are right about Ultr@VNC being able to use encryption plugins. Unfortunately Ultr@VNC is Windows-only, so if you want to use VNC to control a Mac or a Linux or a *BSD box, you must use some other flavour of VNC tunnelled over SSH or through a VPN for security. |
|
jaynicklit up Premium Member join:2001-02-06 Sterling Heights, MI |
jaynick
Premium Member
2012-Dec-4 12:01 pm
Thanks much everyone for all the great help here. I am giving logmein a try for now on the windows machines, no need to open any ports and seems secure and simple. |
|
David Premium Member join:2002-05-30 Granite City, IL |
to jaynick
did you go with hamachi? |
|
stormbowFreedom isn't FREE Premium Member join:2002-07-31 Simi Valley, CA |
to jaynick
I am another that tunnels VNC over SSH. My SSH is configured to use a certificate, so no way to hack the password and I have fail2ban running to block IPs trying to get into my SSH. Three fails and you're blocked for an hour. |
|
1 edit |
may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.
Also, has anyone looked @ freeNX/NoMachine... Works great. |
|
stormbowFreedom isn't FREE Premium Member join:2002-07-31 Simi Valley, CA |
stormbow
Premium Member
2012-Dec-4 3:12 pm
said by Da Geek Kid:may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours. Once or twice I have had keyboard issues and have locked myself out (there is a "password" on the cert). I consider one hour enough punishment for myself. . If they continue to try to get in they get blocked all over again. |
|
jaynicklit up Premium Member join:2001-02-06 Sterling Heights, MI |
to David
said by David:did you go with hamachi? The free version. |
|
not @comcast.net |
not
Anon
2012-Dec-4 9:18 pm
Or you could just use LogMeIn Free and be done with it, including having to configure any port forwarding, etc. Easy, secure, and you can even use it on mobile devices if need be. Much better solution than VNC in my opinion. |
|
|
Personally I like Remote Desktop over VNC. |
|
mackey Premium Member join:2007-08-20
1 recommendation |
to jaynick
I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.
/M |
|
|
RealVNC Enterprise edition can also do this "fail2ban" type thing, has 256 bit AES encryption, and, in spite of the expensive sounding name, is only $50. |
|
|
to jaynick
VPN on the firewall with a very strong password and certificate. I have my VPN at home set to block an IP after 3 failed attempts. That would keep the script kiddies away. |
|
Woody79_00I run Linux am I still a PC? Premium Member join:2004-07-08 united state |
to not
I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.
Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.
Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.
OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.
Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....
OpenVPN is pretty easy to set up, there really is no excuse....
My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me... |
|
|
a better alternative to the logmein is the teamviewer. |
|
not @comcast.net |
to Woody79_00
said by Woody79_00:I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.
Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.
Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.
OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.
Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....
OpenVPN is pretty easy to set up, there really is no excuse....
My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me... You're living in the past a little bit. The security layer for local password authentication isn't stored on the remote server. The service is trusted and supported by a ton of security conscious people. While I do agree with you to some degree (which is governed by the type of business or security level a client needs), LogMeIn is far more secure and trusted than any other source out there right now. Also, given the fact that this security level comes with a simplistic level of config and operation, makes it even more appealing for the novice user who may need to use something like this for remote access. I've run into a ton of people who end up trying to get RDP or VNC set up and operational and when they do, it's hacked in less than a few days and their systems are used for botnet crap. Fact is this, if you leave a port open on a firewall that responds to an open request and doesn't stealth out the scan, the prober knows what's inside. If they want to really bad, they'll continue to prod and get in one way or another. Again, there is a time and place for every type of security setup and concern and config, but what applies to the tightest of needs for one scenario doesn't apply to all. And NO, it's not a matter of sacrifice at the expense of comfort. It's a matter of the right solution for the right issue at hand while still maintaining a strong security level. |
|
KA0OUV Premium Member join:2010-02-17 Jefferson City, MO |
to mackey
+1 |
|
KA0OUV |
to mackey
said by mackey:I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.
/M + 1 |
|
Woody79_00I run Linux am I still a PC? Premium Member join:2004-07-08 united state
1 recommendation |
to not
I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.
With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?
have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?
these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.
Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.
at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.
just my 2 cents. |
|