I agree with the problem of publishing the IP's and so forth, but.... You suggest using VPN and SSH. The whole problem is that a few people can't get it to work without the extra layers of protection. And a few of them, it doesn't make sense that they can't connect. They seem to have pretty standard setups.
You can't set up a VPN until you get it working in the first place. Well... you could, but then you have yet anohter unknown in the mix. JP ----- Original Message ----- From: "Carlyle Sutphen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 3:53 AM Subject: !!!DANGER!!!! Acute security risk! WAKE UP!!!! > Let me echo Jack with a bit of emphasis. Look, some of you > are publishing the IP addresses of your routers, the make and version > of your routers, WHICH PORTS YOU ARE OPENING and the ip > addresses and operating systems of the machines behind your > routers. This is a public mailing list that anybody can subscribe to. > Your routers should be serving as FIREWALLS and many of you > are degrading them to be simple routers and then letting the world > know where to send their probes. > > Please look into VPN and SSH. Use VNC exclusively through one of > these. > > Also, educate yourselves on intrusion detection. Turn up the logging > verbosity on your routers and check them regularly. You may well be > surprised to see what is going on "down there" > > http://www.google.de/search?q=monitor+access+attempts+tcp%2Fip+firewall+intrusion+detection+windows&ie=UTF-8&oe=UTF-8&hl=de&btnG=Google+Suche&meta= > > > If you can... look at firewalls (free software based firewal > > http://ipcop.org) over hardware accessport by linksys or netgear... > > you can limit what IPs are allowed access to red:5900 . This is > > still not the a good solution, because you are using a known vector > > to your equipment. > > > > What is better is to a tunnel... VPN or SSH (again avialable in IPCop > > for example). With these you will NOT be going to erd port 5900. > > You will be setting up a "extention" to your network. So your remote > > will be functioning more akin to a local machine. Now VNC will be > > connecting to server. But the traffic will be flowing though the > > routers. PS all encrypted. > > > > Some net resources... > > > > http://www.ltsp.org/contrib/vnc.html > > http://www.prosig.com/protor/kbase/VPNAccess-HOWTO.pdf > > http://www.bitvise.com/screenshots.html > > > > > > Jack Beglinger > > Project Lead IPCop > > Best regards, > > Carlyle > Technical Information Security Officer > > > -- > > Diese E-Mail enthdlt vertrauliche und/oder rechtlich gesch|tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt|mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > > This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
