Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.

By default, RFB is not a secure protocol. While passwords are not sent in plain-text (as in telnet), cracking could prove successful if both the encryption key and encoded password are sniffed from a network.

Keep it simple, you should never establish a plain VNC connection over a untrusted network. Though some VNC products provide security plugin, or different cypher to secure the connection, however, use of such encryption plugins make it incompatible with other VNC programs.

I have two articles about VNC, one is for regular Tigervnc install and config on Linux, the other is VM server VNC setup and how to secure the vnc connection

In both of them, I mentioned how to make VNC connection secure, here is just some tips how to do it in general case.

1. Open port and iptables protection

VNC by default uses TCP port 5900+N, where N is the display number (usually :0 for a physical display). Think it over when you are planning to open it to untrusted network.

Perhaps just a white list in the LAN like this:

# iptables -I INPUT -m state --state NEW -p tcp -s -dport 5901 -j ACCEPT 

NOT LIKE THIS, which open the port to everywhere

# iptables -I INPUT -m state --state NEW -p tcp --destination-port 5901 -j ACCEPT 

Save the iptables config

# service iptables save 

2. VNC server connection configuration

Change VNC server config file '/etc/sysconfig/vncservers' 

    change the VNCserver to accept localhost connectin only : 
        VNCSERVERS="1:vncuser1 "
        VNCSERVERARGS[1]="-geometry 1024x768 -localhost

This way, your VNC server only accepts localhost connection. For VM servers, probably just use iptables to block remote connection.

But, you may say, how can I get to access the VNC server from other server?

try SSH tunnel described below

3. Make VNC connection through SSH  tunnel

There are two ways in general to get VNC connection through SSH tunnel

A. use 'via' option from VNC client

$vncviewer via fibrevillage:5901 

The nice thing is that vncviewer 'via' option, which invokes SSH local port forwarding, thus, you get secure connection.

B. Use explicit SSH tunnel

Suppose the node is vnc_server, the the vnc user is listening the port 5901

ssh -L 3300:localhost:5901 vnc_server

Then, start vncviewer to connect local port 3300

$vncviewer localhost:3300

The vnc client will get connected to vnc_server via a secure ssh tunnel, this is equvilent to vnc client 'via' option

$vncviewer via vnc_server:5901

Note: in SSH tunnel case, you do not need to open VNC server port to external.


What about windows VNC client ?

On windows machine, you can use putty, or similar terminal tool to create a ssh tunnel, the speciy the tunnel port to vncviewer to have a secure connection.

Detail info you can find in Use putty to create a ssh tunnel



Comments powered by CComment