Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Vnc, is this safe?

  1. #1
    Join Date
    May 2009
    Location
    Fareham, UK
    Beans
    Hidden!
    Distro
    Xubuntu 14.04 Trusty Tahr

    [Solved] Vnc, is this safe?

    I been looking into VNC today, I've never had to use it before so I know nothing about it but my mum asked me to install Linux Mint on her laptop so I'm sure I'll be needing it.

    What I need is to someone who knows the field to just give me the green or red light if my method is safe to use, I know VNC over the internet can be a bit of a touchy subject with regards to security.

    I'm fairly comfortable with ssh, so I already have a secure connection established with ssh (no password, rsa keys etc.) lets assume here that the ssh connection is safe and sound so we don't get off topic. Anyway here's a quick run-down of what I think is okay.

    Server:
    I've opened up Vino (the standard vnc server in Mint, I think ubuntu too) and chosen to share my desktop with others and allow control of it, I've selected the option so the server has to authorise each connection to allow any vnc session (no password, I'll probably only ask her to turn this on as and when we need it).

    Client: (eeepc is my test host)
    I've installed Remmina to use as a client. My first step here is to forward a ssh port
    Code:
    ssh -L 2808:localhost:5900 eeepc
    then I've opened remmina and used localhost as a server with port 2808 (randomly chosen)

    The connection request then pops up on the server and after mum clicking connect then I've started my own remote IT help desk, great.

    So the big question, is this safe, green light or red light? At least in the terms of general home use (excluding the risk of high-profile attacker targeting my dear old mum)

    Many Thanks
    Regards
    Mark
    Last edited by CaptainMark; May 1st, 2013 at 07:26 AM. Reason: added prefix
    Catch me on Freenode - imark

  2. #2
    Join Date
    Apr 2012
    Beans
    5,814

    Re: Vnc, is this safe?

    It's not necessarily unsafe (since presumably your mum's router will NOT be port forwarding anything to her port 5900) however if you are going to insist on ssh tunneling you may as well tell the VNC server only to accept connections from localhost so that 5900 is actually closed - just creating the tunnel doesn't do that, afaik

    For the default vino-server that option seems to have been omitted from the GUI so you need to dig into dconf to get to it - either by installing the graphical dconf editor or via the command line as

    Code:
    dconf write /desktop/gnome/remote-access/network-interface "'lo'"
    This would give a layer of protection even if someone got inside her LAN (in addition to any firewall that you are running on the machine).

    [DISCLAIMER: I am *not* an expert - this is just a result of my own experiments]

  3. #3
    Join Date
    Oct 2004
    Location
    Denmark - Scandinavia
    Beans
    17,619
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Vnc, is this safe?

    Moved to Other OS/Distro Support.
    elementary OS Luna
    My Screenshot

  4. #4
    Join Date
    May 2009
    Location
    Fareham, UK
    Beans
    Hidden!
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Vnc, is this safe?

    So does Vino open port 5900 dy default, messing around with an online port checker would suggest it does, even without the upnp option ticked in vino preferences
    Catch me on Freenode - imark

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Vnc, is this safe?

    +1 to setting VNC to listen to localhost. It is a very good idea to tunnel it over SSH, which is what you are attempting to do.

    Quote Originally Posted by CaptainMark View Post
    So does Vino open port 5900 dy default, messing around with an online port checker would suggest it does, even without the upnp option ticked in vino preferences
    Check:
    Code:
    sudo netstat -nlp
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Jun 2006
    Location
    Brisbane Australia
    Beans
    713

    Re: Vnc, is this safe?

    Quote Originally Posted by CaptainMark View Post
    So does Vino open port 5900 dy default, messing around with an online port checker would suggest it does, even without the upnp option ticked in vino preferences
    OP, your first post here is quite detailed but omits something very important. We assume your mothers laptop is behind her home router. So have you set only 1 port forward on that to forward ssh to her laptop? If that is the only port forward you have set in the router (forget about ssh port forwarding at the moment), and you have turned off upnp in Vino, then it is irrelevant whether Vino opens port 5900 etc on her laptop. Of course when you ssh from an external site then that address "eeepc" in your example will be the external IP address of your mum's router. This is often a dynamic address for home connections so most of us use a free service like dyndns.org, noip.com, etc.

    Personally, I set a port forward in my router from external port 443 to my server port 22. I recommend this because it allows you to ssh out on port 443 when you are in a corporate/work environment where the corporate firewall often blocks port 22 outbound. Port 443 is harder to block (used for ssh here instead of the usual https), I've never seen one that does.

  7. #7
    Join Date
    May 2009
    Location
    Fareham, UK
    Beans
    Hidden!
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Vnc, is this safe?

    @CharlesA Okay I piped that through grep for 5900 and it does ask for port 5900 to be open even without the upnp option enabled

    @markbl Yes I should have mentioned, I haven't done anything yet to my mum's router, but when it comes to it, I'll only be forwarding the one port and it will be a totally random non-standard port to stop those pescky basic attack bots flooding the pc with half arsed attempts.

    Okay I'm pretty comfortable that this will be safe enough for general home purposes, all I need to get done is stop Vino from opening port 5900, I'd prefer to have absolutely no unnecessary ports open. I assume that was what Steeldriver mentioned but I'm off to work right now so I'll look into that tonight.

    Many thanks so far
    Catch me on Freenode - imark

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Vnc, is this safe?

    There should be an option for it to only allow local connections, which should limit it to localhost.

    This might help:
    http://ubuntuforums.org/showthread.php?t=1995563
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    May 2009
    Location
    Fareham, UK
    Beans
    Hidden!
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Vnc, is this safe?

    Okay thanks for your help, I've followed that thread on my Ubuntu test rig and the netstat command still reports that vino is listening on port 5900 but an online port checker is reporting that 5900 is closed, so I guess this is maybe what I want??? I'm a touch confused, is it correct that netstat still reports vino listening on 5900 but only allowing connections from localhost?

    EDIT:
    I just done a quick google how to ping a specific port and got the tip to use nmap so this might help clarify, this is vino running
    Code:
    mark@desktop ~/ $ nmap -p 5900 127.0.0.1
    
    Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-30 18:59 BST
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.000023s latency).
    PORT     STATE SERVICE
    5900/tcp open  vnc
    
    
    Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
    This would indicate that the port is open?? Im not sure, I'm not a expert on networking, I will try pinging from another pc

    2ND EDIT: nmap from another pc shows the port as closed so I guess I'm safe here. I'll close this one unless anyone sees any glaring security issues which I dont know about

    Many Thanks

    Cap'n
    Last edited by CaptainMark; April 30th, 2013 at 07:02 PM.
    Catch me on Freenode - imark

  10. #10
    Join Date
    Aug 2005
    Beans
    6,027

    Re: Vnc, is this safe?

    Anything connected to the internet is the devils spawn! Be gone satan!

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •