dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4546

exit151
@cox.net

exit151

Anon

vnc attacks..

Hey all.. I would like some help
For over a month now, someone(s) at a couple different IP's have been trying to hack my ultraVNC. I know this because the event viewer is full of failed attempts from 'blocks' of IP's (meaning there are say, 5 attempts with a.a.a.a an hour later 5 attempt from b.b.b.b, etc.. All day long. I know it's being done through linux boxes because I've tried to SSH to that IP and it gives me a log in, not being a hacker of course though, there's nothing to do.. Wondering if there's anything I can do. Reporting them to an ISP doesn't seem like it's going to be effective, and while I'm making an assumption here, I'm going to guess the responsible party is probably illegally remoting to those PC's from somewhere else anyhow.

So what can I do? (aside of the obvious, change my vnc port number, because in doing that I'm still going to have some moron and his tool hammering my IP all day/night long probably trying to guess my new vnc port... Comments/ideas welcome!
WeenieAlso
join:2002-01-29
Pasadena, MD

WeenieAlso

Member

not sure if this helps but on my linux box I only allow specific Ip ranges to connect and block everything else. You could look into blocking specific countries if a particular country is most of your attackers that is if you cannot refine addresses allowed in.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to exit151

Premium Member

to exit151
said by exit151 :

So what can I do? (aside of the obvious, change my vnc port number, because in doing that I'm still going to have some moron and his tool hammering my IP all day/night long probably trying to guess my new vnc port... Comments/ideas welcome!

You might try not exposing your VNC host(s) to the Internet at all. Block the VNC port(s) at your perimeter firewall, and only allow LAN or VPN access to VNC host(s). Of course, you will still have constant hammering of the VPN port(s), but that is life on the Internet.

You can't control who knocks on your door on the Internet, you can only control who you allow in. However, if you can stop them at the front gate, then that is at least one more barrier to be breached before they reach your front door.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

2 recommendations

sivran to exit151

Premium Member

to exit151
Who says they're running linux? Even Windows boxes can run an sshd.

Speaking of SSH, if this is a home network, why not just only expose an SSH port and use tunneling to access the VNCs on your lan? Or if you want to get fancy, set up a VPN.

And.. who cares if some moron pokes at your closed ports all day and night? Ignore it. More than likely you're just getting automated scans, not smart enough to look for services on other ports. When I moved my SSH port, all attempts to hack it stopped. It's been years without a peep. There may still be probes hitting 22, but I don't care, that port will never again open to the outside.

Edit: Or what NetFixer said. I composed my post assuming you actually wanted these services available outside. If that's not the case by all means, don't expose them.
HarryH3
Premium Member
join:2005-02-21

HarryH3 to exit151

Premium Member

to exit151
As stated above, don't expose your VNC ports to the outside.

A few options:

Setup a VPN server for remote access. This lets you securely connect to your LAN, from anywhere, and then you connect to VNC. I use OpenVPN on a router running Tomato firmware and have it configured to connect ONLY with devices that hold the correct certificate. There's a good tutorial here: »www.serverwatch.com/tuto ··· rt-1.htm

Use something like TeamViewer, LogMeIn or Himachi and setup unattended access.

Changing the default port, as sirvan suggested will foil a majority of attempts as most hackers only scan for default ports.

workablob
join:2004-06-09
Houston, TX

workablob to exit151

Member

to exit151
I used to expose my VNC or RDP on my PC so I could remote in from work.

Now I use LogMeIn FREE.

TeamViewer is another excellent alternative to VNC.

That will thwart the attackers.

Dave
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

TheMG to exit151

Premium Member

to exit151
They're most likely zombies (infected computers part of a botnet) attempting dictionary attacks on whatever active VNC ports are found.

There's a lot of this stuff going on and it's not just VNC, they attack SSH, VPN, and many other services.

Thus the importance of having a secure password. Unfortunately the dictionary attacks on a wide scale are quite effective because many people use default passwords or very simple passwords.

As long as you've got a good secure password, the dictionary attacks are nothing more than a nuisance in the log files and nothing to be too concerned about. Happens all the time.

To get rid of the nuisance, an effective method is to run the service on a non-standard port. Most of the time these attacks won't go through the trouble of scanning every single port on a host, they just poke at some common ports and hope to find one of them open.

That being said, you can add an extra layer of security by setting up a VPN service and not exposing the VNC service to the internet, as other posters have recommended.

exit151
@cox.net

exit151 to workablob

Anon

to workablob
Thanks for all the replies

Yeah, I do need it for outside use (I vnc in to my windows box from remote locations, sometimes from a physical PC, others from an android tablet). After reading a few replies I decided as a quick fix to change the port for the vnc. I like the idea of tunneling or VPN - I do a fair amount of networking and sheepishly admit I've only set up a handful of VPN's (none for myself though). Going to have to weigh the options and make sure both/either are readily usable by my existing methods (meaning android devices will still be able to 'get in'). Liked that serverwatch link though.

Thanks again for all the replies/comments/assistance. Feeling a lot better about the situation now

HA Nut
Premium Member
join:2004-05-13
USA

1 recommendation

HA Nut to exit151

Premium Member

to exit151
I've become a fan of the LogMeIn / GoToMyPC type apps. They are workable without regard to firewalls and even support things like multiple monitors. We have switched to them where I work and they work quite well...
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to exit151

MVM

to exit151
Good suggestions all around from the respondents.

The takeaway here is basically if you're going to expose ANY services into your LAN exit151, you're
going to have to a) make sure things are locked down / secured from your end, and b) put up with this as this
is no different than the internet equivalent of unwanted knocking / ringing of your doorbell.

Regards

Matt W
@optonline.net

Matt W

Anon

Same thing is happening to me.

I actually prefer to user tightvnc over my hamachi vpn from work. It runs better than logmein and is faster to open a connection.

Therefore I need to open my ports to forward 5900.

What you can do is configure your tightvnc server to accept connectoin from your vpn client IP (your hamachi number) or/and your work IP and no other IPs. that's done in windows not on your router obviously.

Heres a question tho. Do all these dictionary attacks affect my bandwitch at all if they are constantly "pinging" me? I'd love to stop them at the layer 3 level...
HarryH3
Premium Member
join:2005-02-21

HarryH3

Premium Member

said by Matt W :

Therefore I need to open my ports to forward 5900.

Change VNC to a non-standard port and you'll eliminate most of the drive-by scanners.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to Matt W

Premium Member

to Matt W
said by Matt W :

Same thing is happening to me.

I actually prefer to user tightvnc over my hamachi vpn from work. It runs better than logmein and is faster to open a connection.

Therefore I need to open my ports to forward 5900.

What you can do is configure your tightvnc server to accept connectoin from your vpn client IP (your hamachi number) or/and your work IP and no other IPs. that's done in windows not on your router obviously.

Heres a question tho. Do all these dictionary attacks affect my bandwitch at all if they are constantly "pinging" me? I'd love to stop them at the layer 3 level...

If you are actually using a hamachi vpn as you claim, then the port 5900 forwarding is not required since the only access to the VNC host is tunneled through the VPN. If you are using a hamachi vpn and also forwarding port 5900 in your perimeter firewall to the VNC host, then you are creating your own problem.

I use VNC on all of the PC boxes on my network, and I only access them from outside using a VPN. I don't have (or need) port 590x forwarding to any of the VNC hosts. While I do see the occasional port 5900 scan show up in firewall logs, there is no possibility of a dictionary attack, because that would require access to the VNC host (which does not exist). There is a big difference (both for security concerns and bandwidth usage) in someone rattling your outside gate (a port scan), and someone who is already in your home rummaging through your belongings (a dictionary attack).
NetFixer

NetFixer to HarryH3

Premium Member

to HarryH3
said by HarryH3:

said by Matt W :

Therefore I need to open my ports to forward 5900.

Change VNC to a non-standard port and you'll eliminate most of the drive-by scanners.

Or he could actually use the hamachi vpn as he claims to be doing, and eliminate any port forwarding in his perimeter router to his VNC host. If Matt W is using a hamachi vpn and also forwarding port 5900 to his VNC host, then he is creating his own problem.

Trihexagonal5
join:2004-08-29
US

Trihexagonal5 to NetFixer

Member

to NetFixer
said by NetFixer:

While I do see the occasional port 5900 scan show up in firewall logs, there is no possibility of a dictionary attack, because that would require access to the VNC host (which does not exist).

I get several random probes to TCP port 5900 on a daily basis. I don't have that service running so I don't pay them any mind.