dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
20778
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave to jaynick

Premium Member

to jaynick

Re: How to secure VNC and port 5900

said by jaynick:

I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.

You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern.

jaynick
lit up
Premium Member
join:2001-02-06
Sterling Heights, MI

jaynick to RickNY

Premium Member

to RickNY
said by RickNY:

Best practice for securing VNC is to tunnel it through SSH...As others have already mentioned here. If your VNC server supports it, allow it to only listen on the localhost interface (127.0.0.1) to further protect it from internal LAN attacks. When setup that way, it will only accept connections on a SSH tunnel. In case it was not obvious, the only port that should be forwarded would be the port you are using for SSHD.

Yes, thanks, that's where I am headed.
jaynick

jaynick to dave

Premium Member

to dave
said by dave:

said by jaynick:

I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.

You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern.

Thanks, dave See Profile, yes I got it now and headed to different solution for remote access(ssh).
jaynick

1 edit

jaynick to angussf

Premium Member

to angussf
You are correct, it was dropping the remaining characters....it fooled me.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

I believe Microsoft does the same thing with Hotmail passwords.

»Hotmail No Longer Accepts Long Passwords, Shortens Them...

alphapointe
Don't Touch Me
MVM
join:2002-02-10
Columbia, MO

1 recommendation

alphapointe to jaynick

MVM

to jaynick
I use Logmein to the windows boxes, and SSH-tunnelled-VNC to the linux boxes when I'm outside the LAN. I get the occasional idiot that wants to try to brute-force my SSHd server, but I just block his IP (or entire netblock...) in the router.

I also drop traffic from quite a few countries that have no business connecting to me, and it's kept my portscan, bogus SIP attempts, and spam (I run my own SMTP server) levels very low...

jaynick
lit up
Premium Member
join:2001-02-06
Sterling Heights, MI

jaynick to StuartMW

Premium Member

to StuartMW
I saw that, that's a shame.
jaynick

1 recommendation

jaynick to alphapointe

Premium Member

to alphapointe
F1B3 is setup for that(ssh-tunnel). No worries on that machine. Thanks to parkut See Profile
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to jaynick

MVM

to jaynick
As others have said, the router log entry was a successful connection on port 5900, but it does NOT mean someone
was able to login via VNC. I don't know if it supports it, but if VNC or the machine itself permits a log of successful
logins, set it up so you can keep track of VNC attempts.

I also like StuartMW's suggestion of limit the source IP addresses able to access VNC to a specific subset.

You've done all you can at the network layer to secure stuff, you also have to keep in mind about application layer
security as well.

Regards

TheTechGuru
join:2004-03-25
TEXAS

TheTechGuru to jaynick

Member

to jaynick
I would setup a PPTP VPN (get a router that has it built it) and just connect to the VPN server (in the router) which then will put you on the LAN remotely then connect to the VNC.

mmainprize
join:2001-12-06
Houghton Lake, MI

mmainprize to jaynick

Member

to jaynick
One other thing that could be done is.
You have to set an account to be used for the remote control access and that user must be who logs in.

So edit you policy using the windows policy editor to make it hard on a hacker. After he fails to enter the correct password three times the account logon is locked for one hour. Even an eight char password will work for that and since you know the password this should not be a problem for you but a big problem for the hacker.

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

1 edit

1 recommendation

Wildcatboy to jaynick

Mod

to jaynick

You can make it as complicated as you want using SSH tunneling or a VPN, etc... or you can just use the built in features in UltraVNC. That is of course if your computers run on Windows.

UltraVNC already has a feature that allows you to use their DSM plugin (Data Stream Modification) for 128 bit encryption using an RC4 random key. No additional software needed. It will even let you generate a random RC4 key right within the admin properties.

You generate the key and keep one copy on the server and one on the client. If the key is not present on both computers, the connection fails, period.

If the key is present on both, they connect but you still need to login with a password. To bypass the 8 character password limit simply require MS Logon, in which case you can choose one of the users on the server and give it access. The access could even be limited to view only or interact or full access. It could even be a guest account. Your choice. And of course that account could have a very very long password too as opposed to just 8 characters. Not that it's really necessary when you're using the RC4 key.

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf

Premium Member

@Wildcatboy -- you are right about Ultr@VNC being able to use encryption plugins. Unfortunately Ultr@VNC is Windows-only, so if you want to use VNC to control a Mac or a Linux or a *BSD box, you must use some other flavour of VNC tunnelled over SSH or through a VPN for security.

jaynick
lit up
Premium Member
join:2001-02-06
Sterling Heights, MI

jaynick

Premium Member

Thanks much everyone for all the great help here. I am giving logmein a try for now on the windows machines, no need to open any ports and seems secure and simple.

David
Premium Member
join:2002-05-30
Granite City, IL

David to jaynick

Premium Member

to jaynick
did you go with hamachi?

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow to jaynick

Premium Member

to jaynick
I am another that tunnels VNC over SSH. My SSH is configured to use a certificate, so no way to hack the password and I have fail2ban running to block IPs trying to get into my SSH. Three fails and you're blocked for an hour.

Da Geek Kid
join:2003-10-11
::1

1 edit

Da Geek Kid

Member

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Also, has anyone looked @ freeNX/NoMachine... Works great.

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow

Premium Member

said by Da Geek Kid:

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Once or twice I have had keyboard issues and have locked myself out (there is a "password" on the cert). I consider one hour enough punishment for myself. . If they continue to try to get in they get blocked all over again.

jaynick
lit up
Premium Member
join:2001-02-06
Sterling Heights, MI

jaynick to David

Premium Member

to David
said by David:

did you go with hamachi?

The free version.

not
@comcast.net

not

Anon

Or you could just use LogMeIn Free and be done with it, including having to configure any port forwarding, etc. Easy, secure, and you can even use it on mobile devices if need be. Much better solution than VNC in my opinion.

TheTechGuru
join:2004-03-25
TEXAS

TheTechGuru

Member

Personally I like Remote Desktop over VNC.

mackey
Premium Member
join:2007-08-20

1 recommendation

mackey to jaynick

Premium Member

to jaynick
I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

Raphion
join:2000-10-14
Samsara

Raphion

Member

RealVNC Enterprise edition can also do this "fail2ban" type thing, has 256 bit AES encryption, and, in spite of the expensive sounding name, is only $50.

Eagles1221
join:2009-04-29
Vincentown, NJ

Eagles1221 to jaynick

Member

to jaynick
VPN on the firewall with a very strong password and certificate. I have my VPN at home set to block an IP after 3 failed attempts. That would keep the script kiddies away.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00 to not

Premium Member

to not
I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

a better alternative to the logmein is the teamviewer.

not
@comcast.net

not to Woody79_00

Anon

to Woody79_00
said by Woody79_00:

I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...

You're living in the past a little bit. The security layer for local password authentication isn't stored on the remote server. The service is trusted and supported by a ton of security conscious people. While I do agree with you to some degree (which is governed by the type of business or security level a client needs), LogMeIn is far more secure and trusted than any other source out there right now. Also, given the fact that this security level comes with a simplistic level of config and operation, makes it even more appealing for the novice user who may need to use something like this for remote access. I've run into a ton of people who end up trying to get RDP or VNC set up and operational and when they do, it's hacked in less than a few days and their systems are used for botnet crap. Fact is this, if you leave a port open on a firewall that responds to an open request and doesn't stealth out the scan, the prober knows what's inside. If they want to really bad, they'll continue to prod and get in one way or another.

Again, there is a time and place for every type of security setup and concern and config, but what applies to the tightest of needs for one scenario doesn't apply to all. And NO, it's not a matter of sacrifice at the expense of comfort. It's a matter of the right solution for the right issue at hand while still maintaining a strong security level.

KA0OUV
Premium Member
join:2010-02-17
Jefferson City, MO

KA0OUV to mackey

Premium Member

to mackey
+1
KA0OUV

KA0OUV to mackey

Premium Member

to mackey
said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

+ 1

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

1 recommendation

Woody79_00 to not

Premium Member

to not
I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.

With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?

have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?

these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.

Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.

at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.

just my 2 cents.