People are foolish if they do not use SSH2 tunneling with VNC. If you want to employ good security measures then you should only have VNC set to "Allow Loopback Connections" with "Only Allow Loopback"
SSH2 adds another layer of security and encryption. Even if you do not allow VNC connections from the outside world, it is still a good practice on a LAN or WAN. SSH2 tunneling only adds a few extra steps to the process. I also recommend that you do not allow any SSH protocol 1 connections. This is very easy to disable on any Unix or Windows type system. Of course this means that you need to have an updated SSH2 compliant server installed. Happy VNCing Joe Coyle Systems Administrator Weather Services International 978-670-5166 -----Original Message----- From: Jacob Hoover [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 2:37 PM To: [EMAIL PROTECTED] Subject: RE: Security... I didn't see the post, but VNC only uses the first eight characters of any given password. Working on the whole security idea, it wouldn't be that difficult to modify the server (Win version at least) to automatically disable itself after a defined number of authentication failures. This would keep out most brute force or word list hackers, but it would also stop the authorized user if the hacker triped the safe guard. Jacob Hoover -----Original Message----- From: Shing-Fat Fred Ma [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 1:01 PM To: [EMAIL PROTECTED] Subject: Re: Security... TightVNC requires that ssh be installed. It's a great package, but security is an issue even with ssh. It seems that a malicious person can repeatedly attempt to connect to the server with new passwords. Though it doesn't allow more than X number of attempts (somewher around 5 or 7, I think), it's easy to "reset" its "memory". I can't quite remember, but I think I just tried connecting to a different server to reset the memory; or perhaps, I tried connecting to the same serve from another site. Also, I don't think there was much delay between failed password attempts. The feature that prevents more than X attempts, I'm not sure if it's built into the viewer or the server. That code is publically accessible. There was a recent post that pointed to a security hacker website showing exactly how the viewer can be modified to more effectively try connecting to a viewer (I think it was by trying different passwords). I believe the password is only checked for a small number of characters in any case. Anyone remember this? Fred ------------------------------------------- Fred Ma Department of Electronics Carleton University, Mackenzie Building 1125 Colonel By Drive Ottawa, Ontario Canada K1S 5B6 [EMAIL PROTECTED] =========================================== _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
