dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2396
share rss forum feed


exit151

@cox.net

vnc attacks..

Hey all.. I would like some help
For over a month now, someone(s) at a couple different IP's have been trying to hack my ultraVNC. I know this because the event viewer is full of failed attempts from 'blocks' of IP's (meaning there are say, 5 attempts with a.a.a.a an hour later 5 attempt from b.b.b.b, etc.. All day long. I know it's being done through linux boxes because I've tried to SSH to that IP and it gives me a log in, not being a hacker of course though, there's nothing to do.. Wondering if there's anything I can do. Reporting them to an ISP doesn't seem like it's going to be effective, and while I'm making an assumption here, I'm going to guess the responsible party is probably illegally remoting to those PC's from somewhere else anyhow.

So what can I do? (aside of the obvious, change my vnc port number, because in doing that I'm still going to have some moron and his tool hammering my IP all day/night long probably trying to guess my new vnc port... Comments/ideas welcome!

WeenieAlso

join:2002-01-29
Pasadena, MD
not sure if this helps but on my linux box I only allow specific Ip ranges to connect and block everything else. You could look into blocking specific countries if a particular country is most of your attackers that is if you cannot refine addresses allowed in.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to exit151
said by exit151 :

So what can I do? (aside of the obvious, change my vnc port number, because in doing that I'm still going to have some moron and his tool hammering my IP all day/night long probably trying to guess my new vnc port... Comments/ideas welcome!

You might try not exposing your VNC host(s) to the Internet at all. Block the VNC port(s) at your perimeter firewall, and only allow LAN or VPN access to VNC host(s). Of course, you will still have constant hammering of the VPN port(s), but that is life on the Internet.

You can't control who knocks on your door on the Internet, you can only control who you allow in. However, if you can stop them at the front gate, then that is at least one more barrier to be breached before they reach your front door.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

2 recommendations

reply to exit151
Who says they're running linux? Even Windows boxes can run an sshd.

Speaking of SSH, if this is a home network, why not just only expose an SSH port and use tunneling to access the VNCs on your lan? Or if you want to get fancy, set up a VPN.

And.. who cares if some moron pokes at your closed ports all day and night? Ignore it. More than likely you're just getting automated scans, not smart enough to look for services on other ports. When I moved my SSH port, all attempts to hack it stopped. It's been years without a peep. There may still be probes hitting 22, but I don't care, that port will never again open to the outside.

Edit: Or what NetFixer said. I composed my post assuming you actually wanted these services available outside. If that's not the case by all means, don't expose them.

--
Think Outside the Fox.

HarryH3
Premium
join:2005-02-21
kudos:3
Reviews:
·Suddenlink
reply to exit151
As stated above, don't expose your VNC ports to the outside.

A few options:

Setup a VPN server for remote access. This lets you securely connect to your LAN, from anywhere, and then you connect to VNC. I use OpenVPN on a router running Tomato firmware and have it configured to connect ONLY with devices that hold the correct certificate. There's a good tutorial here: »www.serverwatch.com/tutorials/ar···rt-1.htm

Use something like TeamViewer, LogMeIn or Himachi and setup unattended access.

Changing the default port, as sirvan suggested will foil a majority of attempts as most hackers only scan for default ports.


workablob

join:2004-06-09
Houston, TX
kudos:4
Reviews:
·Comcast
reply to exit151
I used to expose my VNC or RDP on my PC so I could remote in from work.

Now I use LogMeIn FREE.

TeamViewer is another excellent alternative to VNC.

That will thwart the attackers.

Dave
--
I may have been born yesterday. But it wasn't at night.

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to exit151
They're most likely zombies (infected computers part of a botnet) attempting dictionary attacks on whatever active VNC ports are found.

There's a lot of this stuff going on and it's not just VNC, they attack SSH, VPN, and many other services.

Thus the importance of having a secure password. Unfortunately the dictionary attacks on a wide scale are quite effective because many people use default passwords or very simple passwords.

As long as you've got a good secure password, the dictionary attacks are nothing more than a nuisance in the log files and nothing to be too concerned about. Happens all the time.

To get rid of the nuisance, an effective method is to run the service on a non-standard port. Most of the time these attacks won't go through the trouble of scanning every single port on a host, they just poke at some common ports and hope to find one of them open.

That being said, you can add an extra layer of security by setting up a VPN service and not exposing the VNC service to the internet, as other posters have recommended.


exit151

@cox.net
reply to workablob
Thanks for all the replies

Yeah, I do need it for outside use (I vnc in to my windows box from remote locations, sometimes from a physical PC, others from an android tablet). After reading a few replies I decided as a quick fix to change the port for the vnc. I like the idea of tunneling or VPN - I do a fair amount of networking and sheepishly admit I've only set up a handful of VPN's (none for myself though). Going to have to weigh the options and make sure both/either are readily usable by my existing methods (meaning android devices will still be able to 'get in'). Liked that serverwatch link though.

Thanks again for all the replies/comments/assistance. Feeling a lot better about the situation now


HA Nut
Premium
join:2004-05-13
USA

1 recommendation

reply to exit151
I've become a fan of the LogMeIn / GoToMyPC type apps. They are workable without regard to firewalls and even support things like multiple monitors. We have switched to them where I work and they work quite well...

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to exit151
Good suggestions all around from the respondents.

The takeaway here is basically if you're going to expose ANY services into your LAN exit151, you're
going to have to a) make sure things are locked down / secured from your end, and b) put up with this as this
is no different than the internet equivalent of unwanted knocking / ringing of your doorbell.

Regards


Matt W

@optonline.net
Same thing is happening to me.

I actually prefer to user tightvnc over my hamachi vpn from work. It runs better than logmein and is faster to open a connection.

Therefore I need to open my ports to forward 5900.

What you can do is configure your tightvnc server to accept connectoin from your vpn client IP (your hamachi number) or/and your work IP and no other IPs. that's done in windows not on your router obviously.

Heres a question tho. Do all these dictionary attacks affect my bandwitch at all if they are constantly "pinging" me? I'd love to stop them at the layer 3 level...

HarryH3
Premium
join:2005-02-21
kudos:3
said by Matt W :

Therefore I need to open my ports to forward 5900.

Change VNC to a non-standard port and you'll eliminate most of the drive-by scanners.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Matt W
said by Matt W :

Same thing is happening to me.

I actually prefer to user tightvnc over my hamachi vpn from work. It runs better than logmein and is faster to open a connection.

Therefore I need to open my ports to forward 5900.

What you can do is configure your tightvnc server to accept connectoin from your vpn client IP (your hamachi number) or/and your work IP and no other IPs. that's done in windows not on your router obviously.

Heres a question tho. Do all these dictionary attacks affect my bandwitch at all if they are constantly "pinging" me? I'd love to stop them at the layer 3 level...

If you are actually using a hamachi vpn as you claim, then the port 5900 forwarding is not required since the only access to the VNC host is tunneled through the VPN. If you are using a hamachi vpn and also forwarding port 5900 in your perimeter firewall to the VNC host, then you are creating your own problem.

I use VNC on all of the PC boxes on my network, and I only access them from outside using a VPN. I don't have (or need) port 590x forwarding to any of the VNC hosts. While I do see the occasional port 5900 scan show up in firewall logs, there is no possibility of a dictionary attack, because that would require access to the VNC host (which does not exist). There is a big difference (both for security concerns and bandwidth usage) in someone rattling your outside gate (a port scan), and someone who is already in your home rummaging through your belongings (a dictionary attack).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to HarryH3
said by HarryH3:

said by Matt W :

Therefore I need to open my ports to forward 5900.

Change VNC to a non-standard port and you'll eliminate most of the drive-by scanners.

Or he could actually use the hamachi vpn as he claims to be doing, and eliminate any port forwarding in his perimeter router to his VNC host. If Matt W is using a hamachi vpn and also forwarding port 5900 to his VNC host, then he is creating his own problem.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


Trihexagonal

join:2004-08-29
US
Reviews:
·AT&T U-Verse
·AT&T Midwest
reply to NetFixer
said by NetFixer:

While I do see the occasional port 5900 scan show up in firewall logs, there is no possibility of a dictionary attack, because that would require access to the VNC host (which does not exist).

I get several random probes to TCP port 5900 on a daily basis. I don't have that service running so I don't pay them any mind.