dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
27

jaynick
lit up
Premium Member
join:2001-02-06
Sterling Heights, MI

jaynick to David

Premium Member

to David

Re: How to secure VNC and port 5900

said by David:

did you go with hamachi?

The free version.

not
@comcast.net

not

Anon

Or you could just use LogMeIn Free and be done with it, including having to configure any port forwarding, etc. Easy, secure, and you can even use it on mobile devices if need be. Much better solution than VNC in my opinion.

TheTechGuru
join:2004-03-25
TEXAS

TheTechGuru

Member

Personally I like Remote Desktop over VNC.

mackey
Premium Member
join:2007-08-20

1 recommendation

mackey to jaynick

Premium Member

to jaynick
I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

Raphion
join:2000-10-14
Samsara

Raphion

Member

RealVNC Enterprise edition can also do this "fail2ban" type thing, has 256 bit AES encryption, and, in spite of the expensive sounding name, is only $50.

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

Woody79_00 to not

Premium Member

to not
I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

a better alternative to the logmein is the teamviewer.

not
@comcast.net

not to Woody79_00

Anon

to Woody79_00
said by Woody79_00:

I personally would not use LogMeIn for ANYTHING free or not...this is even more true in a business environment.

Security Rule #1: NEVER trust an offsite service to have access or give access to your local LAN period...end of discussion.

Servers that give you and/or workers remote access to the office should be servers hosted and maintained onsite by your IT Department or network administrator.

OpenVPN is not to difficult to set up...LogMeIn is just a lazy insecure way to do something that should be done the right away that is not too hard to set up to begin with. If a person or small business doens't know how to set up a OpenVPN Server, they they have no business operating or offering remote access to begin with. Spend the money and hire someone who knows how to set one up.

Any security conscious IT person would not use LogMeIn under a business environment and would set up his own secure access method with the hardware and software on site under his/her supervision..and just wouldn't take LogMeIn word for it....

OpenVPN is pretty easy to set up, there really is no excuse....

My apologies for the rant, but trusting an offsite company with remote access to any LAN i work on just doesn't sit well with me...

You're living in the past a little bit. The security layer for local password authentication isn't stored on the remote server. The service is trusted and supported by a ton of security conscious people. While I do agree with you to some degree (which is governed by the type of business or security level a client needs), LogMeIn is far more secure and trusted than any other source out there right now. Also, given the fact that this security level comes with a simplistic level of config and operation, makes it even more appealing for the novice user who may need to use something like this for remote access. I've run into a ton of people who end up trying to get RDP or VNC set up and operational and when they do, it's hacked in less than a few days and their systems are used for botnet crap. Fact is this, if you leave a port open on a firewall that responds to an open request and doesn't stealth out the scan, the prober knows what's inside. If they want to really bad, they'll continue to prod and get in one way or another.

Again, there is a time and place for every type of security setup and concern and config, but what applies to the tightest of needs for one scenario doesn't apply to all. And NO, it's not a matter of sacrifice at the expense of comfort. It's a matter of the right solution for the right issue at hand while still maintaining a strong security level.

KA0OUV
Premium Member
join:2010-02-17
Jefferson City, MO

KA0OUV to mackey

Premium Member

to mackey
+1
KA0OUV

KA0OUV to mackey

Premium Member

to mackey
said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

+ 1

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

1 recommendation

Woody79_00 to not

Premium Member

to not
I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.

With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?

have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?

these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.

Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.

at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.

just my 2 cents.

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

logmein is free service for personal unless you want to go big!

mmainprize
join:2001-12-06
Houghton Lake, MI

mmainprize to Woody79_00

Member

to Woody79_00
said by Woody79_00:

I am not living in the past, I just am not comfortable trusting "any" outside entity to provide remote access to my LAN from outside of my control. If i were to offer such services, I would want those services (the hardware) to be on site under my control. Any business should want the same.

With services like LogMeIn, its an honor system...Why should i trust them? The way things are in the world today...i have no reason to trust them. I don't "personally know" anyone who works for LogMeIn...how do i know i can trust them? Should i take someone else word for it, who by the way, has never met these people in person face to face either?

have you met anyone from LogMeIn face to face? Are you sure you can trust them? Do you even know what kind of people they are? How about their ethics? Who runs their data centers? where are they located? can i visit the data center i will be using?

these are questions everyone should ask themselves before making such deals, especially when it comes to remote access.

Again...if your willing to pay money for LogMeIn or any other service, why not spend that money on a consultant who is capable of setting up a OpenVPN Server for you securely and be done with it....in the long run this may even be a cheaper option overall.

at least you will have piece of mind that remote access is controlled on premise, by people you know and have seen their faces, and not hosted somewhere else by someone you have never met before in your life.

just my 2 cents.

Right On.

Every time i think about one of these types of services i think about the same things you just listed.
I do not want to give my login info to any site.
Even the VPN services sites, you never know who might be watching your traffic at the service.
You have better trust any service you deal with. I was given a free one year account at cyberghost, VPN service but have not used it because i don't trust it or the source i got it from.

It is like all the people that do there taxes online at some web site. Now you here that many find that taxes refunds have all ready been sent out to fake fillers before the real person filled there taxes, where do you thing they got all the info to fill a tax return in your name.
I have always used OpenSSH but now just upgraded to Windows 8 and need to find new software that is compatible with windows 8. I don't travel much so the need to connect is less these days so i have some time.

RickNY
Premium Member
join:2000-11-02
Bellport, NY

RickNY to mackey

Premium Member

to mackey
said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900.

Security through obscurity... The SSH route is the best way to go. Additionally, SSH will provide the end user with some other valuable perks such as SFTP/SCP for file transfers. Additionally, you can use SSHD as a SOCKS proxy, effectively giving you a VPN for anything else.

You will get a lot of drive-bys on SSH -- probably more than you would with VNC.. But properly secured with public key authentication and password authentication disabled, you'd have a very secure system.
Expand your moderator at work

not
@comcast.net

not to mmainprize

Anon

to mmainprize

Re: How to secure VNC and port 5900

said by mmainprize:

Right On.

Every time i think about one of these types of services i think about the same things you just listed.
I do not want to give my login info to any site.
Even the VPN services sites, you never know who might be watching your traffic at the service.
You have better trust any service you deal with. I was given a free one year account at cyberghost, VPN service but have not used it because i don't trust it or the source i got it from.

It is like all the people that do there taxes online at some web site. Now you here that many find that taxes refunds have all ready been sent out to fake fillers before the real person filled there taxes, where do you thing they got all the info to fill a tax return in your name.
I have always used OpenSSH but now just upgraded to Windows 8 and need to find new software that is compatible with windows 8. I don't travel much so the need to connect is less these days so i have some time.

Now you, actually have a good point. You have good cause to be weary of VPN tunneling services. The reason being, ALL traffic pumped through that gateway can be sniffed once it's outside the VPN tunnel (i.e. the traffic is only secured between your PC and the VPN endpoint), once it's after that which is still on the local network of the VPN provider and it must go through their Internet Gateway to get to your requested site all they have to do is just sniff your traffic between the VPN server and their Internet Gateway. Simple, so you have a point for this type of service and I agree with you. I wouldn't trust them either.