How Do I Encrypt VNC??
Goto page 1, 2  Next  :||:
Networking/Security Forums -> General Security Discussion

Author: Insecure PostPosted: Sat Oct 12, 2002 7:42 pm    Post subject: How Do I Encrypt VNC??
    ----
hi!

I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!

Jon

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sat Oct 12, 2002 9:08 pm    Post subject:
    ----
Hiya, well you do it the same way by using SSH (SSH tunneling) but do it locally on your machine with something like PuTTy.

There is some good guides here:

http://drvandv.com/freesco/VNC/

http://www.shebeen.com/vnc_ssh/

ATT themselves also have some info regarding this: http://www.uk.research.att.com/vnc/sshvnc.html

HTH Smile

Author: flwLocation: U.S.A. PostPosted: Sat Oct 12, 2002 9:43 pm    Post subject:
    ----
Quote:
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection. I, however, don't want to get it up an running until i set up something a little bit more secure. A buddy of mine set his up to use ssh, but he had a Linux box set up in front of his PC (the VNC server). I want to know how to set up some sort of Encryption for when i am using VNC.
I only have one computer so i can't set up a linux firewall like my buddy did. The computer i have is running WindowsXP, and i would like to use the internet browser from any other computer as a client. This is the first time i have tried anythign like this so any advice is valuable!

Jon


I have a sightly different question for you on your use of remote control app. Why would someone need any remote app like vnc to be on 24/7 instead of on only when needed? Thereby dramically reducing your total exposure to hackers and increasing your security.

You can't open a door that isn't there.

fastlanwan

Author: Jason PostPosted: Sun Oct 13, 2002 12:40 pm    Post subject:
    ----
In response to fastlanwan's question, and just for general knowledge, heres some info:

Winvnc Homepage:
http://www.uk.research.att.com/vnc/

Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html

Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.

Quote:

AuthHosts
The AuthHosts setting is, unlike the other settings, a REG_SZ string. It is used to specify a set of IP address templates which incoming connections must match in order to be accepted. By default, the template is empty and connections from all hosts are accepted. The template is of the form:
+[ip-address-template]
?[ip-address-template]
-[ip-address-template]
In the above, [ip-address-template] represents the leftmost bytes of the desired stringified IP-address. For example, +158.97 would match both 158.97.12.10 and 158.97.14.2. Multiple match terms may be specified, delimited by the ":" character. Terms appearing later in the template take precedence over earlier ones. e.g. -:+158.97: would filter out all incoming connections except those beginning with 158.97. Terms beginning with the "?" character are treated by default as indicating hosts from whom connections must be accepted at the server side via a dialog box. The QuerySetting option determines the precise behaviour of the three AuthHosts options. Local machine-specific setting.



This setting can be used as a number of security measures to help secure Winvnc.

For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.

I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)

Done. Wink

Author: flwLocation: U.S.A. PostPosted: Sun Oct 13, 2002 4:30 pm    Post subject:
    ----
Quote:
In response to fastlanwan's question, and just for general knowledge, heres some info:

Winvnc Homepage:
http://www.uk.research.att.com/vnc/

Winvnc Server Documentation:
http://www.uk.research.att.com/vnc/winvnc.html

Well worth looking at... in particular, the Authhosts registry setting, which allows you to restrict incomming connections.

This setting can be used as a number of security measures to help secure Winvnc.

For those of you who are interested, Winvnc uses port 5900 for the first default connection. you can also point your browser at 192.168.0.44:5800
for a java viewer. (port 5800). I beleive that the web version can be turned off.

I am a great fan of winvnc, and use it everywhere i can. for those of you who have never had the pleasure, Winvnc is a remote desktop application, similer to PC-Anywhere. (well, it does the same job...)

Done.
_________________
Proud to be British.



I think you have misunderstood my question. I use VNC myself on client PC's I understand how it works. So my question is why would anyone leave it on 24/7? PcAnywhere or VNC ? It seems having it on all the time is asking for trouble, rather than on a as needed basis.

fastlanwan

Author: Jason PostPosted: Sun Oct 13, 2002 4:56 pm    Post subject:
    ----
Sorry mate, with you now. Embarassed

I have come across situations where there does not seem to be any other option.

Case 1: At work my boss uses winvnc to access company documents on the move. It is hard to predict when he will need access to various information, so vnc server is alway running.

The other point to consider, VNCserver is remote software, if you switch it off, go to another country, then need to access your computer remotely, what do you do? there may be a situation where you cannot ring up someone and ask them to run vnc server. they may not have the knowledge, or may not even be available. EG: its sunday. Laughing

Having applications such as vnc load at start up reduce confusion while providing you with flexability. If you like, it is the easy way of doing things. I do agree with you from a security perspective this does expose your system slightly more.

Keeping with the security perspective, a quick look over at dshield.org can show you how little port 5900 is scanned for, despite specialised scanning tools, such as VNC Manager:

http://www.sysworksoft.net/products/vncmng.html

(had this little prog installed for months, its great! Wink )

There are relativly few public vunerabilities in winvnc, and these are in older versions.

So, my general feeling is, with a strong password, and the latest and greatest version of vnc installed, you are reasonalbly secure, or at least secure enough to be able to leave you vnc server on 24/7.

J

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Oct 13, 2002 6:01 pm    Post subject:
    ----
Indeed J I was going to say the exact same thing..

How can you start it as and when needed if there are no remote admin tools running...

Kinda defeats the object of having it if it's not there all the time.

There's usually no one technically competent around to start it (if there is why would you be running it in the first place?).

And using SSH tunnels and a strong password it's as secure as any other service (as J says there are no exploits for the new ones, and most the exploits that existed were just DoS bugs).

Author: flwLocation: U.S.A. PostPosted: Sun Oct 13, 2002 8:57 pm    Post subject:
    ----
So you're using on ssh to secure your setup then and have all other services turned off? Are you using ssh1 or 2 and with encryption? Also unless VNC has changed it has no lockout feature for number of failed access attempts. So someone can keep hammering away?

Internally (LAN/WAN) I am a fan of VNC, it's the over the net that makes me think twice.

Note: I have a series of bots that are after my linux server using ssh1 . In addition to other measures I have taken, the bots were never programed to try ssh2 just ssh1 with no encryption.

On same subnet is a NT Web proxy server that has never been attacked. Everyone seems to go for the Linux box mail and webserver. I don't know why they just do. A hacker would see ssh and or Apache running and assume all devices must be Linux/Unix varitions. Wrong.

This has proven an old rule true again. READ YOUR LOG FILES. That's what gave them away. Unusual patterns in the normal routine.

fastlanwan

Author: Insecure PostPosted: Sun Oct 13, 2002 9:07 pm    Post subject: putty
    ----
Will i need to have putty installed everywhere that i want to use as a VNC client?

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Oct 13, 2002 11:08 pm    Post subject:
    ----
Check this out:

http://www.security-forums.com/forum/viewtopic.php?p=6732

Has some pictures and stuff.

P.S. PuTTy doesn't need installing Smile It's proper software (stand-a-lone executable), you can configure it stick it on a disk/CD and take it around with you.

Author: Jason PostPosted: Mon Oct 14, 2002 7:57 pm    Post subject:
    ----
What sort of speed impact does encrypting vnc have?

Particularly in:

1) 100 MB/sec Lan
2) NTL 128K accessing BT Openworld 512K service.

Any ideas would be appriciated.

Cheers Cool

J

Author: PosideonLocation: UK Baby!!! PostPosted: Mon Jan 13, 2003 5:41 pm    Post subject:
    ----
Quote:
I am a big fan of AT&T's VNC, which allows you remote desktop from any computer with a Browser and an Internet connection.



Does WinVNC allow you to use remote control via a browser? I always thought it was just the client VNCviewer you used.


Dan
-------------------


Rolling Eyes

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Jan 13, 2003 5:47 pm    Post subject:
    ----
Yeh via a web based Java Applet I believe..never used it myself though always preferred the client.

Author: PosideonLocation: UK Baby!!! PostPosted: Mon Jan 13, 2003 6:03 pm    Post subject:
    ----
Is the browser as secure as the client? Im thinking not but please tell me otherwise.


Dan
----------------



Embarassed

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Jan 13, 2003 6:07 pm    Post subject:
    ----
Neither are particularly secure..

That's why I use TightVNC over SSH Smile

Author: RayxenLocation: Australia PostPosted: Wed Mar 12, 2003 1:09 pm    Post subject:
    ----
Yep, im the same as Shaolin Tiger, TightVNC is a must instead of WinVNC and use it through an SSH tunnel. Not difficult at all.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group