LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-23-2009, 06:26 PM   #1
tburgos@us.mufg.jp
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Rep: Reputation: 0
Question Configure Linux Server to block unsecured VNC connection


I've been reading some articles on the web about securing VNC connections by tunneling the connection over SSH. However, from the server perspective it will still allow an unsecured connections and you're relying on the client to setup up the SSH tunneling. Is there a way to configure the Linux server to now allow connection over an unsecured channel? Thanks.
 
Old 06-23-2009, 06:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
If your VNC server supports it (mine doesn't) you could use 'vncserver -localhost'. Else, SPOF-wise good to do regardless, set iptables to block inbound access to the VNC port (range) from -i ethernet device(s).
 
Old 06-24-2009, 08:07 AM   #3
tburgos@us.mufg.jp
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Original Poster
Rep: Reputation: 0
This sounds like it will block all incoming request regardless of whether they are secure or not. I'm only looking to block unsecured connections. Also what does SPOF stand for?
 
Old 06-24-2009, 08:13 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Your definition of "secure" in this context is "tunneling the connection over SSH", meaning only port TCP/22 and related are seen in flight between client and server. The client connects to the VNC server from the SSH tunnel endpoint which resides on the server. It should be easy for you to verify by doing VNC-over-SSH and check server-side what ports and endpoints are in use for that particular set of connections.

SPOF is the FLA of Single Point of Failure. (FLA being the TLA of Four Letter Acronym).

Last edited by unSpawn; 06-24-2009 at 08:14 AM.
 
Old 06-24-2009, 08:43 AM   #5
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
If you're tunneling through SSH, the incoming connection will be on a user defined port not 5900, as is usual for VNC. SSH will then pass the connection to 5900 internally.

If you have iptables drop all incoming tcp/udp with a source address of anything and destination port of 5900, you will arrive at the following set of circumstances.
1. Any connections coming in to the user defined port using VNC over SSH will be accepted.
2. Any connections just using VNC to the standard port, will be dropped.
3. Any connections to the user defined port, using just VNC will not complete, as SSH will reject them.
 
  


Reply

Tags
blocking, vnc


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure VNC server to load up the complete GNOME desktop? tlawlessrr Linux - Newbie 8 03-21-2014 08:21 AM
How to configure VNC server on solaris 8 ? talat Solaris / OpenSolaris 15 09-17-2009 06:19 AM
rhel4 vnc problem, where to configure GUI vnc server? hocheetiong Linux - Newbie 1 10-24-2007 06:05 AM
VNC connection to SUSE Linux 10 from a Windows XP VNC Viewer determin2excel Linux - Software 13 10-03-2007 09:38 AM
Slackware VNC Server Install and Configure Procedures kendolin Slackware 2 05-30-2004 10:19 PM


All times are GMT -5. The time now is 03:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration