View previous topic :: View next topic |
Author |
Message |
Insecure Just Arrived
Joined: 12 Oct 2002 Posts: 0
|
Posted: Sat Oct 12, 2002 7:42 pm Post subject: How Do I Encrypt VNC?? |
|
|
hi!
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!
Jon
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
|
Back to top |
|
|
flw Forum Fanatic
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
|
Posted: Sat Oct 12, 2002 9:43 pm Post subject: |
|
|
Quote: |
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!
Jon |
I have a sightly different question for you on your use of remote control app. Why would someone need any remote app like vnc to be on 24/7 instead of on only when needed? Thereby dramically reducing your total exposure to hackers and increasing your security.
You can't open a door that isn't there.
fastlanwan
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Sun Oct 13, 2002 12:40 pm Post subject: |
|
|
In response to fastlanwan's question, and just for general knowledge, heres some info:
Winvnc Homepage:
http://www.uk.research.att.com/vnc/
Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html
Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.
Quote: |
AuthHosts
The AuthHosts setting is, unlike the other settings, a REG_SZ string. It is used to specify a set of IP address templates which incoming connections must match in order to be accepted. By default, the template is empty and connections from all hosts are accepted. The template is of the form:
+[ip-address-template]
?[ip-address-template]
-[ip-address-template]
In the above, [ip-address-template] represents the leftmost bytes of the desired stringified IP-address. For example, +158.97 would match both 158.97.12.10 and 158.97.14.2. Multiple match terms may be specified, delimited by the ":" character. Terms appearing later in the template take precedence over earlier ones. e.g. -:+158.97: would filter out all incoming connections except those beginning with 158.97. Terms beginning with the "?" character are treated by default as indicating hosts from whom connections must be accepted at the server side via a dialog box. The QuerySetting option determines the precise behaviour of the three AuthHosts options. Local machine-specific setting.
|
This setting can be used as a number of security measures to help secure Winvnc.
For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.
I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)
Done.
|
|
Back to top |
|
|
flw Forum Fanatic
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
|
Posted: Sun Oct 13, 2002 4:30 pm Post subject: |
|
|
Quote: |
In response to fastlanwan's question, and just for general knowledge, heres some info:
Winvnc Homepage:
http://www.uk.research.att.com/vnc/
Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html
Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.
This setting can be used as a number of security measures to help secure Winvnc.
For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.
I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)
Done.
_________________
Proud to be British. |
I think you have misunderstood my question. I use VNC myself on client PC's I understand how it works. So my question is why would anyone leave it on 24/7? PcAnywhere or VNC ? It seems having it on all the time is asking for trouble, rather than on a as needed basis.
fastlanwan
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Sun Oct 13, 2002 4:56 pm Post subject: |
|
|
Sorry mate, with you now.
I have come across situations where there does not seem to be any other option.
Case 1: At work my boss uses winvnc to access company documents on the move. It is hard to predict when he will need access to various information, so vnc server is alway running.
The other point to consider, VNCserver is remote software, if you switch it off, go to another country, then need to access your computer remotely, what do you do? there may be a situation where you cannot ring up someone and ask them to run vnc server. they may not have the knowledge, or may not even be available. EG: its sunday.
Having applications such as vnc load at start up reduce confusion while providing you with flexability. If you like, it is the easy way of doing things. I do agree with you from a security perspective this does expose your system slightly more.
Keeping with the security perspective, a quick look over at dshield.org can show you how little port 5900 is scanned for, despite specialised scanning tools, such as VNC Manager:
http://www.sysworksoft.net/products/vncmng.html
(had this little prog installed for months, its great! )
There are relativly few public vunerabilities in winvnc, and these are in older versions.
So, my general feeling is, with a strong password, and the latest and greatest version of vnc installed, you are reasonalbly secure, or at least secure enough to be able to leave you vnc server on 24/7.
J
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Sun Oct 13, 2002 6:01 pm Post subject: |
|
|
Indeed J I was going to say the exact same thing..
How can you start it as and when needed if there are no remote admin tools running...
Kinda defeats the object of having it if it's not there all the time.
There's usually no one technically competent around to start it (if there is why would you be running it in the first place?).
And using SSH tunnels and a strong password it's as secure as any other service (as J says there are no exploits for the new ones, and most the exploits that existed were just DoS bugs).
|
|
Back to top |
|
|
flw Forum Fanatic
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
|
Posted: Sun Oct 13, 2002 8:57 pm Post subject: |
|
|
So you're using on ssh to secure your setup then and have all other services turned off? Are you using ssh1 or 2 and with encryption? Also unless VNC has changed it has no lockout feature for number of failed access attempts. So someone can keep hammering away?
Internally (LAN/WAN) I am a fan of VNC, it's the over the net that makes me think twice.
Note: I have a series of bots that are after my linux server using ssh1 . In addition to other measures I have taken, the bots were never programed to try ssh2 just ssh1 with no encryption.
On same subnet is a NT Web proxy server that has never been attacked. Everyone seems to go for the Linux box mail and webserver. I don't know why they just do. A hacker would see ssh and or Apache running and assume all devices must be Linux/Unix varitions. Wrong.
This has proven an old rule true again. READ YOUR LOG FILES. That's what gave them away. Unusual patterns in the normal routine.
fastlanwan
|
|
Back to top |
|
|
Insecure Just Arrived
Joined: 12 Oct 2002 Posts: 0
|
Posted: Sun Oct 13, 2002 9:07 pm Post subject: putty |
|
|
Will i need to have putty installed everywhere that i want to use as a VNC client?
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Sun Oct 13, 2002 11:08 pm Post subject: |
|
|
Check this out:
http://www.security-forums.com/forum/viewtopic.php?p=6732
Has some pictures and stuff.
P.S. PuTTy doesn't need installing It's proper software (stand-a-lone executable), you can configure it stick it on a disk/CD and take it around with you.
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Mon Oct 14, 2002 7:57 pm Post subject: |
|
|
What sort of speed impact does encrypting vnc have?
Particularly in:
1) 100 MB/sec Lan
2) NTL 128K accessing BT Openworld 512K service.
Any ideas would be appriciated.
Cheers
J
|
|
Back to top |
|
|
Posideon Just Arrived
Joined: 10 Jan 2003 Posts: 1 Location: UK Baby!!!
|
Posted: Mon Jan 13, 2003 5:41 pm Post subject: |
|
|
Quote: |
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection.
|
Does WinVNC allow you to use remote control via a browser? I always thought it was just the client VNCviewer you used.
Dan
-------------------
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Mon Jan 13, 2003 5:47 pm Post subject: |
|
|
Yeh via a web based Java Applet I believe..never used it myself though always preferred the client.
|
|
Back to top |
|
|
Posideon Just Arrived
Joined: 10 Jan 2003 Posts: 1 Location: UK Baby!!!
|
Posted: Mon Jan 13, 2003 6:03 pm Post subject: |
|
|
Is the browser as secure as the client? Im thinking not but please tell me otherwise.
Dan
----------------
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Mon Jan 13, 2003 6:07 pm Post subject: |
|
|
Neither are particularly secure..
That's why I use TightVNC over SSH
|
|
Back to top |
|
|
Rayxen Just Arrived
Joined: 05 Feb 2003 Posts: 1 Location: Australia
|
Posted: Wed Mar 12, 2003 1:09 pm Post subject: |
|
|
Yep, im the same as Shaolin Tiger, TightVNC is a must instead of WinVNC and use it through an SSH tunnel. Not difficult at all.
|
|
Back to top |
|
|
|