On Fri, 2008-08-15 at 15:09 -0500, Peter Bunn wrote:
> Hello again:
>
> I'm very grateful for all the suggestions I received from my last post,
> but still have not implemented an SSH tunnel or a 'Hamachi-like' solution.
>
> What I *have* done - until I adopt a more secure tunnel of some sort...
> until I'm comfortable adding another layer of complexity to the
> connection - is the following:
>
> (Recall that the operable VNC port is always open and the VNC server
> always running in Service Mode when the computer is on... presently only
> about 6-12 hours per week.)
>
> - Set the VNC server port to something non-standard in the 5 digit range.
>
> - Closed the HTTP 'outgoing' port.
>
> - Obfuscated the description of the listening service in the ICF firewall.
>
> - Limited permitted access to the subnet block (abc.xyz.0.0) that my own
> ISP assigns me when I dialup to the Internet.
>
> - Slightly strengthened the 8 character password that the free version of
> RealVNC allows.
>
> -----
>
> At this point, with my very limited knowledge of how an open port exploit
> might be achieved, I'm thinking a hacker must go through (roughly) this
> process to do something nasty:
>
> - Randomly (or purposefully) scan the IP address and find an open port.
>
> - Guess the nature of the listening service (if it isn't explicitly
> reported by his scanning software).
>
> - Spoof the IP address to mimic an address within the permitted access
> subnet (as above).
>
> - Break the 'non-dictionary' 8 character password.
>
> -----
>
> I guess I would ask first if I'm (roughly) correct in my thinking... and
> then ask how easy it would be to achieve the sequence of steps in the
> hack.
>
> At the moment, I'm actually less concerned about an unencrypted VNC
> session than I am about the 'everyday' vulnerability of the open port and
> the always on VNC server... the latter two being (almost) necessary for
> reliable access to my Father's computer.
>
> My Dad does little or no web commerce, has little or no sensitive data on
> his computer (that I'm aware of), and during one of my maintenance
> sessions, there is little or no sensitive data passed between the two
> machines.
>
> So... can I rest easy for the moment or should I - with all due haste -
> try to implement a more secure connection method?
>
> -----
>
> Once again, an awfully long-winded post, but still hoping for additional
> insights.
I would not be comfortable with this setup, except temporarily... and...
It really is pretty easy to setup a secured tunnel that uses public key
private key encryption. Even on Windoze now a days!
If on Windoze (as the server), install CopSSH on the Windoze box then
generate a key pair, install the public key on the the server side in
the .ssh directory, configure ssh to disallow password authentication,
and listen on a non-standard port (something in the 5 digit range which
you then open through the router with port forwarding).
With public/private key encryption (and password authentication
disabled), there is no way someone can get in, unless they have your
private key, and your key's password, or the find a vulnerability in SSH
that they can exploit. SSH has been very solid for a very long time.
When I want to connect to my fathers PC (which has this setup on it),
and VNCServer running at startup... I simply ssh into his box as
follows: (this creates the tunnel)
ssh -l my_username dads.dyndns.address \
-p port_number -L 5900:localhost:5900'
Then on my local box, I run:
vncviewer localhost
It works great!
Get basic ssh working first. Then this is easy.
Lincoln
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
