davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to jaynick
Re: How to secure VNC and port 5900 What's your security concern, specifically?
No doubt about it: making it possible to log in to a machine from the internet, where it was previously possible to do so, is a lessening of security. Unavoidably so.
So, the concern must be to reduce the risk. Strong passwords will help prevent anyone else from logging in. Encryption will help prevent anyone else from sniffing traffic.
I'm not sure what you meant by posting the log extract. The log tells you that some remote station tried to access your PC. That shouldn't surprise you: it's what you wanted to allow. Is 211.43.213.64 you or is it someone else probing your router? |
|
 jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | The concern was that IP is not me, it's from Asia. I was hoping it was just a probe but log said LAN access. |
|
|
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| Yes, a machine on the internet is trying to access a machine on your LAN. That's what the router log means.
By port forwarding port 5900 to a machine on your LAN you're opening it up to everyone. You implied you understood that with you initial post.
What others have been trying to point out is is that your solution is to use secure VNC connections to that LAN machine.
Your choice is to do that (and have people try and hack it) or disallow all access from the internet. Your choice.
--
Don't feed trolls--it only makes them grow! |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | That's what I am trying to find out (a better alternative). I took the log entry to mean a successful access attempt. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by jaynick:I took the log entry to mean a successful access attempt.
No. Your router is just telling you that the IP (on the internet) is trying to access this IP on your LAN. That doesn't mean success or failure. VNC should be able to log access attempts.
--
Don't feed trolls--it only makes them grow! |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| The only thing I can think of, offhand, is to
• Enable port forwarding for 5900.
• Create a firewall rule to block (or only allow) port 5900 accesses from the internet for a single or small range of IP's.
Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through.
--
Don't feed trolls--it only makes them grow! |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
 ·Comcast
| said by StuartMW:Of course you'd have to know what internet IP(s) you may have (i.e. what are you). The firewall will prevent any port scanners from even reaching your LAN while you'll get through.
Yes, that's the problem with that. |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by jaynick:Yes, that's the problem with that.
Yup. Well port forwarding is just a limited workaround to NAT. The intended purpose is to allow servers to appear as though they're directly on the internet (i.e. open to all comers).
Again if you secure VNC (or whatever) then any bad guys won't be able to get into your LAN box although any and all requests will get to that box (and rejected if you have good authentication).
The choice is up to you.
--
Don't feed trolls--it only makes them grow! |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 | Bottom line is that all those entries were probes and attempts but not actual access. Correct? and a 63 char random password like I use for my wireless key would be as secure as it could get other than using other ways like mentioned above? |
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| said by jaynick:Bottom line is that all those entries were probes and attempts but not actual access. Correct?
Correct.
As for passwords it really depends if all 63 chars are being used as angussf  pointed out.
--
Don't feed trolls--it only makes them grow! |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to jaynick
said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.
You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. |
|
jaynicklit upPremium
join:2001-02-06
Sterling Heights, MI
kudos:2 Reviews:
·Comcast
| said by dave:said by jaynick:I just thought I see the word attempt or blocked or something like that instead of just LAN access. Wasn't sure what to make of it. Any way I'll use one of the other suggested approaches.
You are confusing layers. A TCP connection was successfully established. We presume they were not able to log in, but that's not your router's concern. Thanks, dave , yes I got it now and headed to different solution for remote access(ssh). |
|
