Jump to content


Recent Topics





Advertise on vpsBoard
Photo
- - - - -

Securing VNC (fail2ban?)


  • Please log in to reply
10 replies to this topic

#1 raindog308

raindog308

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 333 posts

Posted 01 November 2013 - 11:45 AM

I use VNC so I can run some desktop apps on a VPS (chiefly Vuze and Firefox).  I'm running Debian and use vnc4server.

 

Unfortunately, VNC is limited to an 8-character password.  And I sometimes login and find "too many security failures" which means someone has been knocking.

 

I could setup fail2ban for it, but VNC doesn't write in auth.log or any system log.  It's in ~user/.vnc/hostname:X.log.  I suppose I could have fail2ban watch that log, but I'm wondering if that's the best way or if there is something easier I'm overlooking.

 

Does anyone have a jail.conf entry for VNC to share?


VPSadvice.com: my unbiased opinions on VPS providers.


#2 WebSearchingPro

WebSearchingPro

    VPS Peddler

  • Verified Provider
  • PipPipPipPip
  • 402 posts

Posted 01 November 2013 - 01:32 PM

I use VNC so I can run some desktop apps on a VPS (chiefly Vuze and Firefox).  I'm running Debian and use vnc4server.

 

Unfortunately, VNC is limited to an 8-character password.  And I sometimes login and find "too many security failures" which means someone has been knocking.

 

I could setup fail2ban for it, but VNC doesn't write in auth.log or any system log.  It's in ~user/.vnc/hostname:X.log.  I suppose I could have fail2ban watch that log, but I'm wondering if that's the best way or if there is something easier I'm overlooking.

 

Does anyone have a jail.conf entry for VNC to share?

 

 

the "VNC" protocol is insecure itself. Generally the recommendation is to use SSH tunneling, that adds the layer of security you are looking for as well as encapsulating the VNC protocol within SSH.


Donald L. - NodeServ - Keeping You Connected
Fast & Dependable VPS/Shared Hosting
Locations: Jacksonville, FL.
http://nodeserv.com

#3 Raymii

Raymii

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 102 posts

Posted 01 November 2013 - 02:42 PM

the "VNC" protocol is insecure itself. Generally the recommendation is to use SSH tunneling, that adds the layer of security you are looking for as well as encapsulating the VNC protocol within SSH.

 

This. Do this. Let the vnc server listen on localhost, then tunnel via ssh (like so: ssh -L 5900:localhost:5900 user@vps). Then connect your vnc client to localhost:5900.

 

That's at least how I do it on my vps's with a GUI.



#4 BuyCPanel-Kevin

BuyCPanel-Kevin

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 116 posts

Posted 01 November 2013 - 04:22 PM

Try doing "find -name AuthHosts" or something like that in the VNC directory and see if you can't limit the IP's that connect to the server.


Kevin B 
BuyCPanel.com - Instant CPanel and VPS License Activations!
Lowest-Priced External CPanel Licenses
http://www.BuyCPanel.com


#5 wlanboy

wlanboy

    VPS Enthusiast

  • Content Contributer
  • PipPipPipPip
  • 1346 posts

Posted 02 November 2013 - 01:15 AM

Let the vnc server listen on localhost, then tunnel via ssh (like so: ssh -L 5900:localhost:5900 user@vps). Then connect your vnc client to localhost:5900.

 

That's at least how I do it on my vps's with a GUI.

Me too. VNS is insecure as hell.


wlanboy.com - a twitter archive dedicated to vps providers


#6 raindog308

raindog308

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 333 posts

Posted 12 December 2013 - 12:03 PM

This. Do this. Let the vnc server listen on localhost, then tunnel via ssh (like so: ssh -L 5900:localhost:5900 user@vps). Then connect your vnc client to localhost:5900.

 

That's at least how I do it on my vps's with a GUI.

 

Months later...finally getting around to this :-)

 

So I did some googling and haven't found an guides on setting this up going from a Windows client (VNC viewer) to a Linux host.  The Linux side is pretty straightforward as far as listening on localhost, but the Windows client side (tunnelling) is mysterious to me.  I've been using the RealVNC viewer and vnc4server on the Linux side.


VPSadvice.com: my unbiased opinions on VPS providers.


#7 WebSearchingPro

WebSearchingPro

    VPS Peddler

  • Verified Provider
  • PipPipPipPip
  • 402 posts

Posted 12 December 2013 - 01:58 PM

If you happen to be connecting with a Windows machine you can do it with putty, I don't actually have instructions on that though.

 

Another option for Windows connecting to linux would be xRDP.


Donald L. - NodeServ - Keeping You Connected
Fast & Dependable VPS/Shared Hosting
Locations: Jacksonville, FL.
http://nodeserv.com

#8 Sunshine

Sunshine

    New Member

  • Members
  • PipPip
  • 26 posts

Posted 12 December 2013 - 02:23 PM

It's fairly simple actually :)

 

Putty > Connection > SSH > Tunnels

 

Source port: 5900

Destination: 127.0.0.1:5900

 

Click "Add" button.

 

Then connect as usual with putty. Now you can connect with VNC viewer to 127.0.0.1 on your Windows machine.

 

(It tunnels 127.0.0.1:5900 on your Windows machine to 127.0.0.1:5900 on your Linux machine)

 

If you need to do this on a regular basis, then you can save the configuration to a putty profile (called a "session" in putty) along with your server IP, etc.


Edited by Sunshine, 12 December 2013 - 02:46 PM.

  • raindog308 thanked this

#9 Sunshine

Sunshine

    New Member

  • Members
  • PipPip
  • 26 posts

Posted 12 December 2013 - 02:39 PM

Or you could use MyEnTunnel:

 

Right click tray icon > Profiles > Create Profile > enter a profile name > OK

 

SSH server: write your IP here

Username: write your username here

Password: write your password here

 

Tick reconnect on failure.

Tick connect on startup.

 

Tunnels tab >  Local text box, write:

 

127.0.0.1:5900:127.0.0.1:5900

 

Click save. Click cancel.

 

Right click tray icon > Profiles > click name of your profile

 

Wait a little bit and the tray icon will turn green when connected.


Edited by Sunshine, 12 December 2013 - 02:52 PM.


#10 raindog308

raindog308

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 333 posts

Posted 12 December 2013 - 07:05 PM

It's fairly simple actually :)

 

Putty > Connection > SSH > Tunnels

 

Source port: 5900

Destination: 127.0.0.1:5900

 

Click "Add" button.

 

Then connect as usual with putty. Now you can connect with VNC viewer to 127.0.0.1 on your Windows machine.

 

(It tunnels 127.0.0.1:5900 on your Windows machine to 127.0.0.1:5900 on your Linux machine)

 

If you need to do this on a regular basis, then you can save the configuration to a putty profile (called a "session" in putty) along with your server IP, etc.

 

That worked great.  Thanks!

 

But one followup question...if I nmap my public-facing internet address (eth0's address) I see:

 

Host is up (0.000049s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
443/tcp  open  https
873/tcp  open  rsync
6001/tcp open  X11:1

(SSH is on a high port not shown)

 

https and rsync are supposed to be open, but I sure don't want X11 listening to the Internet.  I can close it off with iptables, but I'm wondering if there is something in the vnc or X config I should change so it doesn't listen on that address?


VPSadvice.com: my unbiased opinions on VPS providers.


#11 fixidixi

fixidixi

    VPS Enthusiast

  • Members
  • PipPipPipPip
  • 120 posts

Posted 12 December 2013 - 07:27 PM

My suggestion: move to nomachine/x2go. better performance, no mouse-sync problems and even more secure :)


not © not® Please fixIT B) !