I used to experience similar problems whilst remotely helping friends and family and overcame this by installing Hamachi on each of the computers. This acts as a secure tunnel with a constant IP address in the 5 series thereby obviating the need to worry about open ports, forwarding or whatever.
On each of the remote computers, VNC Server and Hamachi are run automatically at start-up. Kind regards Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Kamath Sent: Sunday, August 10, 2008 7:00 AM To: Peter Bunn Cc: VNC Mailing List Subject: Re: Using VNC (More) Securely... On Aug 9, 2008, at 2:00 PM, Peter Bunn wrote: > But at this point, it has become difficult for my father to remember > to > reliably click an icon to start the VNC server, so... Hmm. That does make it hard. I set up a listening VNC viewer, and had my mother start the server and open the connection with a single application. I put it on the quicklaunch bar, and that seemed to go well. But. . . > (By the way, I don't think, at this moment, I have enough skill to > set up > an SSH tunnel, so I am excluding that from consideration... even if it > might be the most secure option.) I got so frustrated with my mother's machine because a PC doesn't have a native way to accept an SSH session. She just bought a Mac, and I'm in heaven (comparatively, anyway). The one option you could do is to have your Mac listen for an SSH connection and set up the tunnel, but that means your father would have to initiate the connection -- with the same issues from above. :-( > My questions are these: > > - Do open ports - in and of themselves - constitute a security risk > even > if there is no program listening on them? Or, stated another way, > if the > VNC server is *not* running is there a risk in having port 5900 open? > This is pertinent because I could open ports via a web remote access > service to initiate a VNC session, then close the ports at the end > of the > session - OR - I could start and stop the VNC server via the same web > service. But I don't know which - if either - would be an effective > means of reducing risk. Generally speaking, having a port open with no service running on that port is not a security hole. I say "generally", because you never know if you can gain exploit by using the replies from the computer stating that that port is closed (yeah, I'm generalizing and paraphrasing). In this situation, I'd *both* start ad stop the port forwarding *and* stop and start the VNC server. Both would reduce your exposure (since it's very easy to forget to terminate the VNC service, and if you have the port open all the time. . . Of course, this becomes *MUCH* easier if you can script the "open the port, start the service" process. > - Would assigning VNC service to another port well outside the range > of > the normal default (5900) offer any additional protection from an > 'obscurity' standpoint? I put all my VNC servers on something other than the default, since I just don't want to deal with all the traffic from probes. My assumption is that there are people out there scanning 5900 on all machines. If someone is trying to get in *YOUR* network, they'll portscan, and of course find 5903 or whatever you've chosen to use. > - My father's IP changes with almost every reconnect. Does this > represent any advantage in terms of obscurity? Only if there's someone out there trying to compromise your father's machine specificaly. Otherwise, it's just an IP address someone is scanning by default. > - My own IP changes at the discretion of my ISP also, but usually > falls > within a range of xxx.yyy.999.99, where xxx.yyy are pretty > constant. Can > I configure Access Control to accept VNC connections only within that > range without specifying the actual originating viewer IP? The > documentation isn't clear to me on this point. Depends on what's doing the restriction. I don't know about VNC's access controls, since i don't use it (I always come in from one IP address, so I use access controls on the firewall/router. Having said that, most firewalls/routers will allow either a IP range ornetmask. > - Finally, I would be happy to spend the money necessary towards the > RealVNC 'Enterprise' version, but given all of the above, I'm > uncertain > it affords any more security 'between sessions' - that is, with ports > open and the server running... which is what would be most > convenient for > me as the 'default' condition. That when my father is simply using > the > computer normally, the VNC ports would be open and the server > running so > I could gain access readily at any time. Well, if you shut down the VNC server while not in use, then of course the Enterprise version won't afford more protection -- it can hardly do so when it's not running. ;-) But if the server is running? Well, I don't know. Perhaps. > PS - I am on a dialup at a max of 24K yet can still reliably access my > Dad's PC and do 'useful work' there... which I find little short of > amazing. I'm grateful for the ability to do so. Indeed, I started using VNC when I had a 24.4K Modem. I'd used LBX (Low Bandwidth X), SerialXpress (A Tektronix X extension for slow links) and a few others (Timbuktu, anyone?) and VNC has rocked. Sean _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
