You are not logged in.

#1 2020-02-15 01:47:46

laanan
Member
Registered: 2020-01-25
Posts: 21

How to _Safely_ use VNC

Hi folks,

Still getting my sea legs here and learning a lot. I am wondering if someone can set me straight about the right way to securely use a vnc server.

My goal is to have a duplicate desktop view from work to home so I can see my files and use programs on my home laptop without having to lug it to work.

I got vncsever working, but then found out it can't/doesn't duplicate the desktop, so I switched to x11vnc, which supposedly can.

What I am worried about is, if I have port forwarding going to forward to x11vnc, doesn't that open me up to security problems. I have an SSL tunnel that works, but I am not sure how to make sure the x11vnc is only accepting traffic through the tunnel.

Am I correct in thinking that the port I should have x11vnc listen to is the local port which is "established" for the SSL tunnel? In other words, if I run the netstat command, I can see the tunnel local address and foreign address listed. My thinking is that x11vnc should listen on the local address port listed.

Thank you for any guidance!

--laanan

Offline

#2 2020-02-15 08:57:39

iMBeCil
WAAAT?
From: Edrychwch o'ch cwmpas
Registered: 2015-09-29
Posts: 757

Re: How to _Safely_ use VNC

From my memory:

Server (computer you want to connect to):
- requirements: ssh server, vnc server
- configure vnc to accept connections only from local host (important!)
- note the port (5900, 5901?) vnc will listen to
- configure ssh server so you can normally connect to it

Client (computer you are sitting at):
- requirements: ssh client, vnc client
- be sure you can normally connect with ssh to the server
- make a ssh tunnel with command: 'ssh -L 5901:localhost:5901 REMOTE_IP' - leave it open
- fire up vnc client and connect to 'localhost:5901' (note 'localhost', not foreign address)

Here is a good explanations for linux based computers. And here is one for MSWin computers.

As for the actual vnc software, I'm not really sure which one is the most suitable for linux. But I think it is all the same, as long as you can make required configuration (for example, make it listen to local host only).

SSH software should be 'standard' openssh, at least on linux.

HTH


Postpone all your duties; if you die, you won't have to do them ..

Online

#3 2020-02-15 17:20:51

laanan
Member
Registered: 2020-01-25
Posts: 21

Re: How to _Safely_ use VNC

@iMBeCil, thanks that all makes sense. If the ssh tunnel is up and running on port 5901, does that prevent other apps/outside sources of data from using that same port? I ask because, when I first ran x11vnc, it showed me that another ip address was trying to connect on 5901. The connection was unsuccessful because of the password I set, but it was some random ip from Brazil, which was both surprising and scary...

Offline

#4 2020-02-15 19:15:47

iMBeCil
WAAAT?
From: Edrychwch o'ch cwmpas
Registered: 2015-09-29
Posts: 757

Re: How to _Safely_ use VNC

laanan wrote:

@iMBeCil, thanks that all makes sense. If the ssh tunnel is up and running on port 5901, does that prevent other apps/outside sources of data from using that same port? I ask because, when I first ran x11vnc, it showed me that another ip address was trying to connect on 5901. The connection was unsuccessful because of the password I set, but it was some random ip from Brazil, which was both surprising and scary...

This unauthorized login attempt from Brazil to get into your vnc server is the reason to configure vnc server to listen to the localhost only! (In this context, localhost is the host on which vnc server is installed). Vnc server should not listen to any IP address except localhost (or 127.0.0.1). Please, see help page for x11vnc how to do this. (I have no idea how to configure x11vnc, or if this i possible at all with x11vnc - I have never used it.) Do not rely on already connected clinet!

Furthermore, you should change port to which vncserver listen to. For example, instead of 5901, you could make it for example 33256. The rationale: port 5901 is known to be for vnc servers, and all bots/IP-scanners search for well known ports; they don't bother to check all available ports, and ports above 1024 are seldom used in standardized fashion (i.e. are used only by very specific applications). If you do this, then your ssh tunnel would be something like this:

$ ssh -L 5901:localhost:33256 REMOTE_IP

(On Client computer, you would fire up vnc client and connect to 'localhost:5901'.) A bit of explanation:
- 5901 = this is port on your client computer
- 33256 = this is port on your vnc server computer
- above command says: tunnel all traffic on port 5901 on my client comp, through port 33256 on server computer (one which has vnc server
- effectively: the vnc client connects to localhost on port 5901 (here, localhost is your client computer), and vnc server accepts only connection and traffic from localhost on port 33256 (here, localhost is actually server computer)
- all traffic between localhost-client and localhost-server is tunneled by ssh

(Let me just say that I have a dozen ssh servers I regularly connect to; since I moved all ssh server ports from well known 22 to some NNNNN port, the brute force bot attacks by random/dictionary username/password has been reduced literary to zero, in last 10 years.)

To summarize:
1) MANDATORY: configure vnc server to listen to connections from localhost only
2) GOOD PRACTICE: make the vnc server listen to some nonstandard port, like 33256 (max port number is 65535)
3) I would even go so far to say: do not use vnc server for which one cannot configure 1) and 2)
4) Tunnel via ssh

I hope you can understand all this, as I am not so good in English ...

Also, try to grasp the fact that the term 'localhost' is used for two computers: both server and client, and you has to be careful to understand which one is which  smile

EDIT: I have skimmed across x11vnc man page ... it has a lot of options. It even seems to have built-in ssl encryption, which means, you could use x11vnc without ssh tunnel. But, I would recommend changing listening port from 5901, as explained above. (Yet, for myself, I would certainly make a ssh tunnel ... call me paranoiac big_smile )

Last edited by iMBeCil (2020-02-15 19:30:02)


Postpone all your duties; if you die, you won't have to do them ..

Online

#5 2020-02-15 23:34:02

laanan
Member
Registered: 2020-01-25
Posts: 21

Re: How to _Safely_ use VNC

@iMBeCil, thank you for the clear and concise explanation. You put everything in terms I can understand, and you basically consolidated and simplified information and ideas that I was reading across multiple documents. In short, thank you!

Yes, it scared the crap out of me that, immediately, something or someone was bombarding that open port. As far as I can tell, the only thing that saved me was the password set up for the vnc server, although I don't know for sure how to check to see if someone was able to get into my system. x11vnc showed me realtime what was happening, and I checked the logs for vncserver (which I had been using for the past couple days prior) and did not see any successful logins from unknown urls (just the ones I know I was using).

Thanks again for all the help and advice -- this kind of information should really be in any guide explaining how to set up any vnc. My thinking was, what is the likelihood that someone knows that my particular port is open...obviously the answer is very!

Best,

laanan

Offline

#6 2020-02-17 08:26:21

iMBeCil
WAAAT?
From: Edrychwch o'ch cwmpas
Registered: 2015-09-29
Posts: 757

Re: How to _Safely_ use VNC

^You're welcome, glad to help  wink


Postpone all your duties; if you die, you won't have to do them ..

Online

Board footer

Powered by FluxBB