• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How Do I Encrypt VNC??

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
Insecure
Just Arrived
Just Arrived


Joined: 12 Oct 2002
Posts: 0


Offline

PostPosted: Sat Oct 12, 2002 7:42 pm    Post subject: How Do I Encrypt VNC?? Reply with quote

hi!

I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!

Jon
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sat Oct 12, 2002 9:08 pm    Post subject: Reply with quote

Hiya, well you do it the same way by using SSH (SSH tunneling) but do it locally on your machine with something like PuTTy.

There is some good guides here:

http://drvandv.com/freesco/VNC/

http://www.shebeen.com/vnc_ssh/

ATT themselves also have some info regarding this: http://www.uk.research.att.com/vnc/sshvnc.html

HTH Smile
Back to top
View user's profile Send private message Visit poster's website
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Sat Oct 12, 2002 9:43 pm    Post subject: Reply with quote

Quote:
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!

Jon


I have a sightly different question for you on your use of remote control app. Why would someone need any remote app like vnc to be on 24/7 instead of on only when needed? Thereby dramically reducing your total exposure to hackers and increasing your security.

You can't open a door that isn't there.

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Sun Oct 13, 2002 12:40 pm    Post subject: Reply with quote

In response to fastlanwan's question, and just for general knowledge, heres some info:

Winvnc Homepage:
http://www.uk.research.att.com/vnc/

Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html

Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.

Quote:

AuthHosts
The AuthHosts setting is, unlike the other settings, a REG_SZ string. It is used to specify a set of IP address templates which incoming connections must match in order to be accepted. By default, the template is empty and connections from all hosts are accepted. The template is of the form:
+[ip-address-template]
?[ip-address-template]
-[ip-address-template]
In the above, [ip-address-template] represents the leftmost bytes of the desired stringified IP-address. For example, +158.97 would match both 158.97.12.10 and 158.97.14.2. Multiple match terms may be specified, delimited by the ":" character. Terms appearing later in the template take precedence over earlier ones. e.g. -:+158.97: would filter out all incoming connections except those beginning with 158.97. Terms beginning with the "?" character are treated by default as indicating hosts from whom connections must be accepted at the server side via a dialog box. The QuerySetting option determines the precise behaviour of the three AuthHosts options. Local machine-specific setting.



This setting can be used as a number of security measures to help secure Winvnc.

For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.

I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)

Done. Wink
Back to top
View user's profile Send private message Send e-mail
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Sun Oct 13, 2002 4:30 pm    Post subject: Reply with quote

Quote:
In response to fastlanwan's question, and just for general knowledge, heres some info:

Winvnc Homepage:
http://www.uk.research.att.com/vnc/

Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html

Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.

This setting can be used as a number of security measures to help secure Winvnc.

For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.

I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)

Done.
_________________
Proud to be British.



I think you have misunderstood my question. I use VNC myself on client PC's I understand how it works. So my question is why would anyone leave it on 24/7? PcAnywhere or VNC ? It seems having it on all the time is asking for trouble, rather than on a as needed basis.

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Sun Oct 13, 2002 4:56 pm    Post subject: Reply with quote

Sorry mate, with you now. Embarassed

I have come across situations where there does not seem to be any other option.

Case 1: At work my boss uses winvnc to access company documents on the move. It is hard to predict when he will need access to various information, so vnc server is alway running.

The other point to consider, VNCserver is remote software, if you switch it off, go to another country, then need to access your computer remotely, what do you do? there may be a situation where you cannot ring up someone and ask them to run vnc server. they may not have the knowledge, or may not even be available. EG: its sunday. Laughing

Having applications such as vnc load at start up reduce confusion while providing you with flexability. If you like, it is the easy way of doing things. I do agree with you from a security perspective this does expose your system slightly more.

Keeping with the security perspective, a quick look over at dshield.org can show you how little port 5900 is scanned for, despite specialised scanning tools, such as VNC Manager:

http://www.sysworksoft.net/products/vncmng.html

(had this little prog installed for months, its great! Wink )

There are relativly few public vunerabilities in winvnc, and these are in older versions.

So, my general feeling is, with a strong password, and the latest and greatest version of vnc installed, you are reasonalbly secure, or at least secure enough to be able to leave you vnc server on 24/7.

J
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sun Oct 13, 2002 6:01 pm    Post subject: Reply with quote

Indeed J I was going to say the exact same thing..

How can you start it as and when needed if there are no remote admin tools running...

Kinda defeats the object of having it if it's not there all the time.

There's usually no one technically competent around to start it (if there is why would you be running it in the first place?).

And using SSH tunnels and a strong password it's as secure as any other service (as J says there are no exploits for the new ones, and most the exploits that existed were just DoS bugs).
Back to top
View user's profile Send private message Visit poster's website
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Sun Oct 13, 2002 8:57 pm    Post subject: Reply with quote

So you're using on ssh to secure your setup then and have all other services turned off? Are you using ssh1 or 2 and with encryption? Also unless VNC has changed it has no lockout feature for number of failed access attempts. So someone can keep hammering away?

Internally (LAN/WAN) I am a fan of VNC, it's the over the net that makes me think twice.

Note: I have a series of bots that are after my linux server using ssh1 . In addition to other measures I have taken, the bots were never programed to try ssh2 just ssh1 with no encryption.

On same subnet is a NT Web proxy server that has never been attacked. Everyone seems to go for the Linux box mail and webserver. I don't know why they just do. A hacker would see ssh and or Apache running and assume all devices must be Linux/Unix varitions. Wrong.

This has proven an old rule true again. READ YOUR LOG FILES. That's what gave them away. Unusual patterns in the normal routine.

fastlanwan
Back to top
View user's profile Send private message Visit poster's website
Insecure
Just Arrived
Just Arrived


Joined: 12 Oct 2002
Posts: 0


Offline

PostPosted: Sun Oct 13, 2002 9:07 pm    Post subject: putty Reply with quote

Will i need to have putty installed everywhere that i want to use as a VNC client?
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sun Oct 13, 2002 11:08 pm    Post subject: Reply with quote

Check this out:

http://www.security-forums.com/forum/viewtopic.php?p=6732

Has some pictures and stuff.

P.S. PuTTy doesn't need installing Smile It's proper software (stand-a-lone executable), you can configure it stick it on a disk/CD and take it around with you.
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Mon Oct 14, 2002 7:57 pm    Post subject: Reply with quote

What sort of speed impact does encrypting vnc have?

Particularly in:

1) 100 MB/sec Lan
2) NTL 128K accessing BT Openworld 512K service.

Any ideas would be appriciated.

Cheers Cool

J
Back to top
View user's profile Send private message Send e-mail
Posideon
Just Arrived
Just Arrived


Joined: 10 Jan 2003
Posts: 1
Location: UK Baby!!!

Offline

PostPosted: Mon Jan 13, 2003 5:41 pm    Post subject: Reply with quote

Quote:
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection.



Does WinVNC allow you to use remote control via a browser? I always thought it was just the client VNCviewer you used.


Dan
-------------------


Rolling Eyes
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Jan 13, 2003 5:47 pm    Post subject: Reply with quote

Yeh via a web based Java Applet I believe..never used it myself though always preferred the client.
Back to top
View user's profile Send private message Visit poster's website
Posideon
Just Arrived
Just Arrived


Joined: 10 Jan 2003
Posts: 1
Location: UK Baby!!!

Offline

PostPosted: Mon Jan 13, 2003 6:03 pm    Post subject: Reply with quote

Is the browser as secure as the client? Im thinking not but please tell me otherwise.


Dan
----------------



Embarassed
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Jan 13, 2003 6:07 pm    Post subject: Reply with quote

Neither are particularly secure..

That's why I use TightVNC over SSH Smile
Back to top
View user's profile Send private message Visit poster's website
Rayxen
Just Arrived
Just Arrived


Joined: 05 Feb 2003
Posts: 1
Location: Australia

Offline

PostPosted: Wed Mar 12, 2003 1:09 pm    Post subject: Reply with quote

Yep, im the same as Shaolin Tiger, TightVNC is a must instead of WinVNC and use it through an SSH tunnel. Not difficult at all.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register