dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
658

mackey
Premium Member
join:2007-08-20

1 recommendation

mackey to jaynick

Premium Member

to jaynick

Re: How to secure VNC and port 5900

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

Raphion
join:2000-10-14
Samsara

Raphion

Member

RealVNC Enterprise edition can also do this "fail2ban" type thing, has 256 bit AES encryption, and, in spite of the expensive sounding name, is only $50.

KA0OUV
Premium Member
join:2010-02-17
Jefferson City, MO

KA0OUV to mackey

Premium Member

to mackey
+1
KA0OUV

KA0OUV to mackey

Premium Member

to mackey
said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900. While it won't keep out someone who's determined or does a full port scan, it will eliminate 99+% of the "drive-bys" which only look at a handful of common ports. I do that with SSH and have fail2ban set up to take care of the few which get through.

/M

+ 1

RickNY
Premium Member
join:2000-11-02
Bellport, NY

RickNY to mackey

Premium Member

to mackey
said by mackey:

I'm surprised no one's mentioned the obvious: run it on a random, non-standard port instead of 5900.

Security through obscurity... The SSH route is the best way to go. Additionally, SSH will provide the end user with some other valuable perks such as SFTP/SCP for file transfers. Additionally, you can use SSHD as a SOCKS proxy, effectively giving you a VPN for anything else.

You will get a lot of drive-bys on SSH -- probably more than you would with VNC.. But properly secured with public key authentication and password authentication disabled, you'd have a very secure system.