Results 1 to 3 of 3

Thread: Secure VNC connections

  1. #1
    lightshow's Avatar Asleep at the wheel
    Join Date
    Mar 2003
    Age
    38
    Posts
    902
    So I've sucessfully set up UltraVNC.

    I can access it from anywhere using the java viewer browser plugin.


    Now, I'm thinking in terms of security. All you need to have is the ip address of my computer, the port i'm using, and a password then you can get into my computer.

    My Security:

    UltraVNC passwords can be max 8 characters
    I'm going to make as inhuman password as possible in 8 characters
    ex. 3#42@kK!

    Choosing a port
    If the password is really secure, should I really care about doing a nonstandard port?

    Unsucessful password attemps
    I'm trying to find if UltraVNC has a set number of unsucessful password attemps that it will process before it does something like block the send for 1 hour


    Install encryption plugin
    I need to install the encryption plugin and test it out.




    General Use

    Make my ip address easier to remember
    Free name
    You can get a free name at http://www.no-ip.com and http://dyndns.com
    I signed up for free with dyndns, and use an auto updater program from kana solution (free) so that i never have to worry about my ip changing. I just plug in blahblah.ath.cx instead of my ip.


    My question is are there any other ideas you have that could help me improve my security.
    ie don't let some port scanner find my open port and all of a sudden have complete access to my system through a VNC client.
    I miss the days of random nut '03
    Click for more activation options, then activate by telephone. Run the keygen.
    if I call them, aren't they going to get me? (you know, down there)

  2. Software & Hardware   -   #2
    lynx's Avatar .
    Join Date
    Sep 2002
    Location
    Yorkshire, England
    Posts
    9,759
    You are wrong about the 8 character password limit, I've used passwords longer than that for some time.

    In any case if you use windows logon/password, it is more secure than UVNC's default and would not have that limitation. This also gives you the same unsuccessful attempts options as you have with windows. I suggest you set up a user and password which you will use purely for external access, so you don't need to remember the password when you log on normally. You can create a strange user name too, which will help defeat hackers.

    If you use an encryption plugin on the server you need to use the UVNC client with the same plugin. You can't use Java since there's no way of attaching the plugin. Make sure you use a key file. No one can get in without a copy of the key file.

    Alternatively, if you must use the Java client, run the service through stunnel. There are examples including one for vnc. Unfortunately most of the examples are for linux, but the principles are the same. In that case you would only allow loopback connections in UVNC so that the service will only accept connections from the stunnel program within your own system.
    Your entry in stunnel.conf would look something like this:
    [uvnc]
    accept=8765
    connect=5800

    You would need to open port 8765 AND the ssl protocol in your firewall.
    You then connect using "https://yoursystemname:8765/". You can secure this connection with a certificate.
    More details of how to do this here.

    Finally, if you (or someone you know) are any good at winsock programming you could write a program to start/stop the VNC service remotely. If you do that in such a way that only an exact string (a long one which no-one could guess) on a particular port will trigger the program, and the program only starts or stops the VNC service, then you are to all intents and purposes totally secure.
    Last edited by lynx; 04-28-2008 at 08:31 PM.
    .
    Political correctness is based on the principle that it's possible to pick up a turd by the clean end.

  3. Software & Hardware   -   #3
    lightshow's Avatar Asleep at the wheel
    Join Date
    Mar 2003
    Age
    38
    Posts
    902
    Thanks Lynx

    I've set up a new 14 character password (I don't know why I thought I was limited to 8)

    I decided that I'm going to use Windows Authentication a little later down the road (since I'm about to format after the semester is over)

    I set up the encryption and got the key files up and running. This part is really cool, it gives me more confidence about being open on the 'net.

    Then for the java client, I decided to entirely disable it since having the remote viewer and encryption plugins will do fine for me.

    I'm going to talk to my friend who has been working in VB .Net for a little over a year and a half about the winsock programming. I think that would be an excellent feature to add with remote server startup.


    Thanks lynx you helped a lot!
    I miss the days of random nut '03
    Click for more activation options, then activate by telephone. Run the keygen.
    if I call them, aren't they going to get me? (you know, down there)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •