Hello again: I'm very grateful for all the suggestions I received from my last post, but still have not implemented an SSH tunnel or a 'Hamachi-like' solution.
What I *have* done - until I adopt a more secure tunnel of some sort... until I'm comfortable adding another layer of complexity to the connection - is the following: (Recall that the operable VNC port is always open and the VNC server always running in Service Mode when the computer is on... presently only about 6-12 hours per week.) - Set the VNC server port to something non-standard in the 5 digit range. - Closed the HTTP 'outgoing' port. - Obfuscated the description of the listening service in the ICF firewall. - Limited permitted access to the subnet block (abc.xyz.0.0) that my own ISP assigns me when I dialup to the Internet. - Slightly strengthened the 8 character password that the free version of RealVNC allows. ----- At this point, with my very limited knowledge of how an open port exploit might be achieved, I'm thinking a hacker must go through (roughly) this process to do something nasty: - Randomly (or purposefully) scan the IP address and find an open port. - Guess the nature of the listening service (if it isn't explicitly reported by his scanning software). - Spoof the IP address to mimic an address within the permitted access subnet (as above). - Break the 'non-dictionary' 8 character password. ----- I guess I would ask first if I'm (roughly) correct in my thinking... and then ask how easy it would be to achieve the sequence of steps in the hack. At the moment, I'm actually less concerned about an unencrypted VNC session than I am about the 'everyday' vulnerability of the open port and the always on VNC server... the latter two being (almost) necessary for reliable access to my Father's computer. My Dad does little or no web commerce, has little or no sensitive data on his computer (that I'm aware of), and during one of my maintenance sessions, there is little or no sensitive data passed between the two machines. So... can I rest easy for the moment or should I - with all due haste - try to implement a more secure connection method? ----- Once again, an awfully long-winded post, but still hoping for additional insights. Thanks very much for your time. Peter B. ----- _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
