Secure VNC connections

So I've sucessfully set up UltraVNC.

I can access it from anywhere using the java viewer browser plugin.


Now, I'm thinking in terms of security. All you need to have is the ip address of my computer, the port i'm using, and a password then you can get into my computer.

My Security:

UltraVNC passwords can be max 8 characters
I'm going to make as inhuman password as possible in 8 characters
ex. 3#42@kK!

Choosing a port
If the password is really secure, should I really care about doing a nonstandard port?

Unsucessful password attemps
I'm trying to find if UltraVNC has a set number of unsucessful password attemps that it will process before it does something like block the send for 1 hour


Install encryption plugin
I need to install the encryption plugin and test it out.




General Use

Make my ip address easier to remember

Quote:

---

Free name

---

Quote:

---

You can get a free name at http://www.no-ip.com and http://dyndns.com
I signed up for free with dyndns, and use an auto updater program from kana solution (free) so that i never have to worry about my ip changing. I just plug in blahblah.ath.cx instead of my ip.

---

My question is are there any other ideas you have that could help me improve my security.
ie don't let some port scanner find my open port and all of a sudden have complete access to my system through a VNC client.

You are wrong about the 8 character password limit, I've used passwords longer than that for some time.

In any case if you use windows logon/password, it is more secure than UVNC's default and would not have that limitation. This also gives you the same unsuccessful attempts options as you have with windows. I suggest you set up a user and password which you will use purely for external access, so you don't need to remember the password when you log on normally. You can create a strange user name too, which will help defeat hackers.

If you use an encryption plugin on the server you need to use the UVNC client with the same plugin. You can't use Java since there's no way of attaching the plugin. Make sure you use a key file. No one can get in without a copy of the key file.

Alternatively, if you must use the Java client, run the service through stunnel. There are examples including one for vnc. Unfortunately most of the examples are for linux, but the principles are the same. In that case you would only allow loopback connections in UVNC so that the service will only accept connections from the stunnel program within your own system.
Your entry in stunnel.conf would look something like this:
[uvnc]
accept=8765
connect=5800

You would need to open port 8765 AND the ssl protocol in your firewall.
You then connect using "https://yoursystemname:8765/". You can secure this connection with a certificate.
More details of how to do this here.

Finally, if you (or someone you know) are any good at winsock programming you could write a program to start/stop the VNC service remotely. If you do that in such a way that only an exact string (a long one which no-one could guess) on a particular port will trigger the program, and the program only starts or stops the VNC service, then you are to all intents and purposes totally secure.

Thanks Lynx

I've set up a new 14 character password (I don't know why I thought I was limited to 8)

I decided that I'm going to use Windows Authentication a little later down the road (since I'm about to format after the semester is over)

I set up the encryption and got the key files up and running. This part is really cool, it gives me more confidence about being open on the 'net.

Then for the java client, I decided to entirely disable it since having the remote viewer and encryption plugins will do fine for me.

I'm going to talk to my friend who has been working in VB .Net for a little over a year and a half about the winsock programming. I think that would be an excellent feature to add with remote server startup.


Thanks lynx you helped a lot!