On Aug 9, 2008, at 2:00 PM, Peter Bunn wrote:
But at this point, it has become difficult for my father to remember
to
reliably click an icon to start the VNC server, so...
Hmm. That does make it hard. I set up a listening VNC viewer, and
had my mother start the server and open the connection with a single
application. I put it on the quicklaunch bar, and that seemed to go
well. But. . .
(By the way, I don't think, at this moment, I have enough skill to
set up
an SSH tunnel, so I am excluding that from consideration... even if it
might be the most secure option.)
I got so frustrated with my mother's machine because a PC doesn't have
a native way to accept an SSH session. She just bought a Mac, and I'm
in heaven (comparatively, anyway). The one option you could do is to
have your Mac listen for an SSH connection and set up the tunnel, but
that means your father would have to initiate the connection -- with
the same issues from above. :-(
My questions are these:
- Do open ports - in and of themselves - constitute a security risk
even
if there is no program listening on them? Or, stated another way,
if the
VNC server is *not* running is there a risk in having port 5900 open?
This is pertinent because I could open ports via a web remote access
service to initiate a VNC session, then close the ports at the end
of the
session - OR - I could start and stop the VNC server via the same web
service. But I don't know which - if either - would be an effective
means of reducing risk.
Generally speaking, having a port open with no service running on that
port is not a security hole. I say "generally", because you never
know if you can gain exploit by using the replies from the computer
stating that that port is closed (yeah, I'm generalizing and
paraphrasing).
In this situation, I'd *both* start ad stop the port forwarding *and*
stop and start the VNC server. Both would reduce your exposure (since
it's very easy to forget to terminate the VNC service, and if you have
the port open all the time. . .
Of course, this becomes *MUCH* easier if you can script the "open the
port, start the service" process.
- Would assigning VNC service to another port well outside the range
of
the normal default (5900) offer any additional protection from an
'obscurity' standpoint?
I put all my VNC servers on something other than the default, since I
just don't want to deal with all the traffic from probes. My
assumption is that there are people out there scanning 5900 on all
machines. If someone is trying to get in *YOUR* network, they'll
portscan, and of course find 5903 or whatever you've chosen to use.
- My father's IP changes with almost every reconnect. Does this
represent any advantage in terms of obscurity?
Only if there's someone out there trying to compromise your father's
machine specificaly. Otherwise, it's just an IP address someone is
scanning by default.
- My own IP changes at the discretion of my ISP also, but usually
falls
within a range of xxx.yyy.999.99, where xxx.yyy are pretty
constant. Can
I configure Access Control to accept VNC connections only within that
range without specifying the actual originating viewer IP? The
documentation isn't clear to me on this point.
Depends on what's doing the restriction. I don't know about VNC's
access controls, since i don't use it (I always come in from one IP
address, so I use access controls on the firewall/router. Having said
that, most firewalls/routers will allow either a IP range ornetmask.
- Finally, I would be happy to spend the money necessary towards the
RealVNC 'Enterprise' version, but given all of the above, I'm
uncertain
it affords any more security 'between sessions' - that is, with ports
open and the server running... which is what would be most
convenient for
me as the 'default' condition. That when my father is simply using
the
computer normally, the VNC ports would be open and the server
running so
I could gain access readily at any time.
Well, if you shut down the VNC server while not in use, then of course
the Enterprise version won't afford more protection -- it can hardly
do so when it's not running. ;-) But if the server is running? Well,
I don't know. Perhaps.
PS - I am on a dialup at a max of 24K yet can still reliably access my
Dad's PC and do 'useful work' there... which I find little short of
amazing. I'm grateful for the ability to do so.
Indeed, I started using VNC when I had a 24.4K Modem. I'd used LBX
(Low Bandwidth X), SerialXpress (A Tektronix X extension for slow
links) and a few others (Timbuktu, anyone?) and VNC has rocked.
Sean
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
