I am new to VNC, and wondering how I go about configuring a VNC server to only allow localhost connections?

The idea is I only want to connect via ssh tunneling. I do not want to inadvertently be opening up ports like 5901 to other machines in the network.

I've tried tightVNC vnc4server, and realvnc, but none of them seem to make the option how to do this clear. I saw one man page somewhere where you could use a -localhost flag, however I'd rather be able to have this permanently in a config file, to reduce the chance of accidentally forgetting that flag one day and inadvertently opening up a port I didn't want to.

PS: Would be nice to save other settings like the "geometry" setting in the config file too if that's possible.

I'm not really familiar with VNC, but the best (pretty much fool proof) way to prevent external connections to a service, is to bind it to 127.0.0.1.

If you configure your firewall to block all incoming traffic except SSH (i.e. including 5901 etc.) would that not suffice? That way, you could still SSH into the box, then run VNC through the established SSH tunnel.

If you want to explicitly set VNC only to listen to the localhost interface, then you would need to edit the VNCserver conf file (/etc/sysconfig/vncservers on CentOS; /etc/vncserver/vncservers.conf on Debian/Ubuntu (I think)).

Edit the VNCSERVERARGS line and add "-localhost" within the quotes, save, restart the vnc server and you should be good to go.