Securing vnc

C

CoW]8(0)

[H]ard|Gawd
Joined
Jul 25, 2005
Messages
1,427
I've setup a tightvncserver on a remote machine and I'm using an ssh tunnel via the command :

Code: 
ssh -f -N -L 5901:localhost:5901 [email protected]

So MY connection to the remote machine is secure, but I don't like the fact that tightvncserver on the remote machine is hosting an open port on 5901 especially since their passwords are limited to 8 characters.

What's the best way for me to secure this? Should I just make the vnc port nonstandard instead of 5901?
 
CoW]8(0);1037282960 said:
I've setup a tightvncserver on a remote machine and I'm using an ssh tunnel via the command :

Code: 
ssh -f -N -L 5901:localhost:5901 [email protected]

So MY connection to the remote machine is secure, but I don't like the fact that tightvncserver on the remote machine is hosting an open port on 5901 especially since their passwords are limited to 8 characters.

What's the best way for me to secure this? Should I just make the vnc port nonstandard instead of 5901?
Click to expand...

thats what i do, is this a external port to the world or internal ?

If it's external, can you maybe use a vpn connection to the router ? then vnc into the machine internally ?
 
external to the world

I don't have access to the router of the remote machine.
 
CoW]8(0);1037283077 said:
external to the world

I don't have access to the router of the remote machine.
Click to expand...

change the port to something odd ball and higher up. like 8881 or something like that.
 
Ultra VNC (my favorite VNC flavor back when I used old VNC)....has a good security plugin, DSM encryption plugin. Why not try that? And have Windows lock workstation behind that..there's your REAL security..the Windows login.
 
Why is it open externally? If you're using a SSH tunnel, there is no reason for that port to be wide open. It kinda defeats the purpose of using a tunnel in first place.
 
Thanks for that comment, I think I realize what SSH tunneling actually does now.

So any connection I make to port 5901 on my local machine will be forwarded to port 5901 on the remote machine. All traffic will be tunneled through the SSH port. Therefore, the only external port I need open is the ssh port.

On a second note, how do I ensure I've closed the open port 5901 on the remote machine properly without preventing ssh tunnel from connecting? Do I need an intermediate computer between my local machine and remote machine?
 
CoW]8(0);1037285981 said:
Thanks for that comment, I think I realize what SSH tunneling actually does now.

So any connection I make to port 5901 on my local machine will be forwarded to port 5901 on the remote machine. All traffic will be tunneled through the SSH port. Therefore, the only external port I need open is the ssh port.

On a second note, how do I ensure I've closed the open port 5901 on the remote machine properly without preventing ssh tunnel from connecting? Do I need an intermediate computer between my local machine and remote machine?
Click to expand...

That's correct. In your SSH client you basically say "Forward this local port to that server and port. The server can be the machine you are SSHed into, or another machine it can see. You can more or less use SSH like a very basic VPN.
 
So is there any way I can prevent port 5901 from being exposed on the remote machine while still having the ability to connect via ssh tunnel?
 
You must log in or register to reply here.
Back
Top