dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12108
share rss forum feed


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to jaynick

Re: How to secure VNC and port 5900

One other thing that could be done is.
You have to set an account to be used for the remote control access and that user must be who logs in.

So edit you policy using the windows policy editor to make it hard on a hacker. After he fails to enter the correct password three times the account logon is locked for one hour. Even an eight char password will work for that and since you know the password this should not be a problem for you but a big problem for the hacker.



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

1 edit

1 recommendation

reply to jaynick


You can make it as complicated as you want using SSH tunneling or a VPN, etc... or you can just use the built in features in UltraVNC. That is of course if your computers run on Windows.

UltraVNC already has a feature that allows you to use their DSM plugin (Data Stream Modification) for 128 bit encryption using an RC4 random key. No additional software needed. It will even let you generate a random RC4 key right within the admin properties.

You generate the key and keep one copy on the server and one on the client. If the key is not present on both computers, the connection fails, period.

If the key is present on both, they connect but you still need to login with a password. To bypass the 8 character password limit simply require MS Logon, in which case you can choose one of the users on the server and give it access. The access could even be limited to view only or interact or full access. It could even be a guest account. Your choice. And of course that account could have a very very long password too as opposed to just 8 characters. Not that it's really necessary when you're using the RC4 key.
--
You can catch the Devil, but you can't hold him long.



angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

@Wildcatboy -- you are right about Ultr@VNC being able to use encryption plugins. Unfortunately Ultr@VNC is Windows-only, so if you want to use VNC to control a Mac or a Linux or a *BSD box, you must use some other flavour of VNC tunnelled over SSH or through a VPN for security.



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to jaynick

Thanks much everyone for all the great help here. I am giving logmein a try for now on the windows machines, no need to open any ports and seems secure and simple.



David
I start new work on
Premium,VIP
join:2002-05-30
Granite City, IL
kudos:101
reply to jaynick

did you go with hamachi?



stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA
reply to jaynick

I am another that tunnels VNC over SSH. My SSH is configured to use a certificate, so no way to hack the password and I have fail2ban running to block IPs trying to get into my SSH. Three fails and you're blocked for an hour.



Da Geek Kid

join:2003-10-11
::1
kudos:1

1 edit

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Also, has anyone looked @ freeNX/NoMachine... Works great.



stormbow
Freedom isn't FREE
Premium
join:2002-07-31
Simi Valley, CA

said by Da Geek Kid:

may I ask why an hour when you are not expecting password attempts with anything other than a cert, why not 600 hours.

Once or twice I have had keyboard issues and have locked myself out (there is a "password" on the cert). I consider one hour enough punishment for myself. . If they continue to try to get in they get blocked all over again.


jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2
reply to David

said by David:

did you go with hamachi?

The free version.


not

@comcast.net

Or you could just use LogMeIn Free and be done with it, including having to configure any port forwarding, etc. Easy, secure, and you can even use it on mobile devices if need be. Much better solution than VNC in my opinion.



TheTechGuru

join:2004-03-25
TEXAS
kudos:2

Personally I like Remote Desktop over VNC.
--
CompTIA Network+ Certified



mackey
Premium
join:2007-08-20
kudos:12

1 recommendation

reply to jaynick

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M



Raphion

join:2000-10-14
Samsara

RealVNC Enterprise edition can also do this "fail2ban" type thing, has 256 bit AES encryption, and, in spite of the expensive sounding name, is only $50.


bn1221

join:2009-04-29
Cortland, NY
reply to jaynick

VPN on the firewall with a very strong password and certificate. I have my VPN at home set to block an IP after 3 failed attempts. That would keep the script kiddies away.



Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state
reply to not

I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...



Da Geek Kid

join:2003-10-11
::1
kudos:1

a better alternative to the logmein is the teamviewer.



not

@comcast.net
reply to Woody79_00

said by Woody79_00:

I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...

You're living in the past a little bit. The security layer for local password authentication isn't stored on the remote server. The service is trusted and supported by a ton of security conscious people. While I do agree with you to some degree (which is governed by the type of business or security level a client needs), LogMeIn is far more secure and trusted than any other source out there right now. Also, given the fact that this security level comes with a simplistic level of config and operation, makes it even more appealing for the novice user who may need to use something like this for remote access. I've run into a ton of people who end up trying to get RDP or VNC set up and operational and when they do, it's hacked in less than a few days and their systems are used for botnet crap. Fact is this, if you leave a port open on a firewall that responds to an open request and doesn't stealth out the scan, the prober knows what's inside. If they want to really bad, they'll continue to prod and get in one way or another.

Again, there is a time and place for every type of security setup and concern and config, but what applies to the tightest of needs for one scenario doesn't apply to all. And NO, it's not a matter of sacrifice at the expense of comfort. It's a matter of the right solution for the right issue at hand while still maintaining a strong security level.


KA0OUV
Premium
join:2010-02-17
Jefferson City, MO
reply to mackey

+1



KA0OUV
Premium
join:2010-02-17
Jefferson City, MO
reply to mackey

said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

+ 1


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

1 recommendation

reply to not

I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.

With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?

have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?

these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.

Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.

at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.

just my 2 cents.



Da Geek Kid

join:2003-10-11
::1
kudos:1

logmein is free service for personal unless you want to go big!



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to HELLFIRE

said by HELLFIRE:

I don't know if it supports it, but if VNC or the machine itself permits a log of successful
logins, set it up so you can keep track of VNC attempts.

what's the point, it can be easily defeated if the attacker gets some sort of privledged access over VNC (unless you output to a line printer)
--
* seek help if having trouble coping
--Standard disclaimers apply.--


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to Woody79_00

said by Woody79_00:

I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.

With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?

have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?

these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.

Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.

at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.

just my 2 cents.

Right On.

Every time i think about one of these types of services i think about the same things you just listed.
I do not want to give my login info to any site.
Even the VPN services sites, you never know who might be watching your traffic at the service.
You have better trust any service you deal with. I was given a free one year account at cyberghost, VPN service but have not used it because i don't trust it or the source i got it from.

It is like all the people that do there taxes online at some web site. Now you here that many find that taxes refunds have all ready been sent out to fake fillers before the real person filled there taxes, where do you thing they got all the info to fill a tax return in your name.
I have always used OpenSSH but now just upgraded to Windows 8 and need to find new software that is compatible with windows 8. I don't travel much so the need to connect is less these days so i have some time.


Derwood
Wherever you go, there you are
Premium
join:2003-01-21
Dayton, OH
reply to jaynick

Stunnel will allow any non-SSL listening app become SSL.. It's free and works with just about anything

»www.stunnel.org/index.html



RickNY
Premium
join:2000-11-02
Farmingville, NY
Reviews:
·Optimum Online
reply to mackey

said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900.

Security through obscurity... The SSH route is the best way to go. Additionally, SSH will provide the end user with some other valuable perks such as SFTP/SCP for file transfers. Additionally, you can use SSHD as a SOCKS proxy, effectively giving you a VPN for anything else.

You will get a lot of drive-bys on SSH -- probably more than you would with VNC.. But properly secured with public key authentication and password authentication disabled, you'd have a very secure system.
Expand your moderator at work


not

@comcast.net
reply to mmainprize

Re: How to secure VNC and port 5900

said by mmainprize:

Right On.

Every time i think about one of these types of services i think about the same things you just listed.
I do not want to give my login info to any site.
Even the VPN services sites, you never know who might be watching your traffic at the service.
You have better trust any service you deal with. I was given a free one year account at cyberghost, VPN service but have not used it because i don't trust it or the source i got it from.

It is like all the people that do there taxes online at some web site. Now you here that many find that taxes refunds have all ready been sent out to fake fillers before the real person filled there taxes, where do you thing they got all the info to fill a tax return in your name.
I have always used OpenSSH but now just upgraded to Windows 8 and need to find new software that is compatible with windows 8. I don't travel much so the need to connect is less these days so i have some time.

Now you, actually have a good point. You have good cause to be weary of VPN tunneling services. The reason being, ALL traffic pumped through that gateway can be sniffed once it's outside the VPN tunnel (i.e. the traffic is only secured between your PC and the VPN endpoint), once it's after that which is still on the local network of the VPN provider and it must go through their Internet Gateway to get to your requested site all they have to do is just sniff your traffic between the VPN server and their Internet Gateway. Simple, so you have a point for this type of service and I agree with you. I wouldn't trust them either.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to AVD

AAA and syslog are also options... just depends on how secure the environment and ho much the OP is willing to expend on the effort.

Regards