LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-10-2013, 07:52 PM   #1
ziphem
Member
 
Registered: Feb 2004
Location: US / EU
Distribution: Fedora 20
Posts: 154

Rep: Reputation: 18
Screensaver password when VNC runs over SSH - false security or an added benefit?


I have a standalone PC in my house. Aside from the girlfriend, I am the only person in the house; the PC is tucked behind a cabinet, has no screen, and has no input devices. I remote log into the machine and play my music to hooked up speakers through it.

My question is: while I run my VNC over SSH, and VNC does have a password, is there any earthly reason why I should still retain the screensaver password?

Is there any added security whatsoever to having a screen-saver password at this point? As mentioned, I tunnel my VNC through SSH, and so keep VNC closed to the outside world otherwise, the computer has iptables and sites behind a hardware router+firewall. I retain the VNC password *in case* - in case of what, I don't know, since this PC never moves from its location.

I should also add that the PC has no battery in it, so if it's unscrewed, it must be unplugged to move it (I suppose you could break into my house with a monitor and keyboard and hook it up - and if something that crazy happens, I'll be concerned about a lot more than the security of the PC). Maybe I've retained that passworded screensaver as a vestiage of the past, since isn't that one of the only things the average computer literate person had for PC security 20 years ago? Maybe it's because I figured if someone got past my SSH, and then past the VNC, they might still be stumped by the screensaver (please don't laugh). Or maybe it's because it gives me some security for my laptop - but the PC about which I ask is a fixed mini-PC tucked away in the house.

Anyways, I thought I'd check with the gurus before I banished the screensaver password to a thing of the past.

Thanks!!!

Last edited by ziphem; 12-10-2013 at 08:09 PM.
 
Old 12-10-2013, 09:21 PM   #2
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,104

Rep: Reputation: 181Reputation: 181
wow, maximum security for a PC to play music.. What kind of music is in there? i'm quite interested... What's your location? hehehe..just kidding...

You can take out the screen saver password, and replace it with a hardware firewall.. for another layer of security..LOL..

PC is behind your home router right? If the PC is not connected to the outside world like, no port forwarding or whatever configuration that you had made so you can connect to it remotely from outside your home..i guess it should be okay.
 
Old 12-10-2013, 10:43 PM   #3
ziphem
Member
 
Registered: Feb 2004
Location: US / EU
Distribution: Fedora 20
Posts: 154

Original Poster
Rep: Reputation: 18
I'd tell you about the music, but then... haha. No really, I actually do use it as the target for my main computer's backups as well (haven't made the shift to duplicity yet, but the backup method I use now is encrypted). The computer is behind a router that's also a firewall, and as mentioned, iptables is set up. I keep the machine open to the outside world for remote SSH, as well as VPN. But if you're going to get in, it's not going to be through VNC or anything, it'll be through another port. And then you need the VNC password....
 
Old 12-11-2013, 01:35 AM   #4
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,104

Rep: Reputation: 181Reputation: 181
Cool

Quote:
Originally Posted by ziphem View Post
I'd tell you about the music, but then... haha. No really, I actually do use it as the target for my main computer's backups as well (haven't made the shift to duplicity yet, but the backup method I use now is encrypted). The computer is behind a router that's also a firewall, and as mentioned, iptables is set up. I keep the machine open to the outside world for remote SSH, as well as VPN. But if you're going to get in, it's not going to be through VNC or anything, it'll be through another port. And then you need the VNC password....
Okay if it is open to the outside world, have you ever check your firewall logs?

If you check your firewall logs and i'm quite sure a lot has attempted (but it's normal).

Just make sure your password is not easy to guess, and don't open a lot of ports to the outside world to minimize the layer of attack.

And of course, nothing is 100% secure once your box is expose to the internet.

Uninstall program or stop the services you don't need in your box.

If there are programs or services running and can easily be exploited then your firewall and your iptables, your VNC password is basically useless.

Last edited by JJJCR; 12-11-2013 at 01:37 AM. Reason: edit
 
Old 12-11-2013, 10:49 PM   #5
ziphem
Member
 
Registered: Feb 2004
Location: US / EU
Distribution: Fedora 20
Posts: 154

Original Poster
Rep: Reputation: 18
I definitely don't use passwords to gain remote access to my box, that's not sufficient (SSH keyfiles). Of course I only retain open the ports that I need open, e.g., SSH, VPN. I generally scan my ports both internally and externally now and then, and I really don't have many concerns about that so far. I also generally don't install programs I don't need and don't run services that I don't need, either. I try to monitor most logs relatively regularly, or as time permits. I can't say that I've checked my firewall logs recently, I probably should though, but I am sitting behind a software firewall behind a hardware firewall. I do appreciate the response, but I'm not sure it goes to the heart of the issue. The more I think about it, and for the reasons I've laid out, the more I move away from my 1996 home desktop security atttude and towards comfort with disabling the screensaver.
 
Old 12-12-2013, 12:11 AM   #6
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,104

Rep: Reputation: 181Reputation: 181
well i search google there are tricks actually to bypass the VNC authentication, so i think it would be better to stick with the screen save authentication password.
 
Old 12-12-2013, 01:33 AM   #7
ziphem
Member
 
Registered: Feb 2004
Location: US / EU
Distribution: Fedora 20
Posts: 154

Original Poster
Rep: Reputation: 18
I think it's important to retain the distinction of openning your computer for direct VNC access - i.e., port 5900, and only allowing VNC when it's tunnelled through SSH with port forwarding. The former allows me to connect through VNC to your IP address with, say, Remote Desktop Viewer, e.g., 123.456.789 with VNC port 5900 implied, and connect using the VNC password. This is a very bad idea for several reasons. In addition, because VNC traffic is not in and of itself encrypted, at least that I'm aware, it suggests that once you input the screensaver password, that password's effectiveness is nullified.

If you have disabled firewall access to 5900, though, you can then set up your SSH to tunnel VNC over it. All traffic to VNC is routed internally, and the only port that you keep open to the outside world is your SSH port - whatever you choose it to be. Therefore, you're not connecting VNC--->PC, but SSH--->PC, and in that connection running VNC.

So the whole question about VNC password really becomes less important. I still think it's a good idea to retain, though, if in case you make a mistake in your firewall (e.g., software, and then you travel and there's no hardware firewall), breakdown of your system for whatever reason, or pesky kids change your firewall port settings when you're not looking. Just google something like 'ssh tunnel to VNC' and you'll get more information on this.

To return to your point about password, the only time you would use a password then would be with SSH, as VNC is tunnelled over it. However, even this is not a good idea, since you should be using keyfiles (and disable password authentication in sshd).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Actual benefit of Backtrack over Ubuntu for security purposes. Steviepower Linux - Distributions 7 05-15-2012 08:05 AM
[SOLVED] if visiting an https website is there any added benefit to tunneling through ssh? nkoplm Linux - Security 3 04-05-2011 06:36 PM
[SOLVED] Need for VNC password, encryption when tunelling through SSH? ziphem Linux - Software 1 10-19-2010 11:26 AM
Keep getting false security errors vrillusions Linux - Software 0 02-07-2003 05:06 PM


All times are GMT -5. The time now is 07:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration