|
Screensaver password when VNC runs over SSH - false security or an added benefit?
I have a standalone PC in my house. Aside from the girlfriend, I am the only person in the house; the PC is tucked behind a cabinet, has no screen, and has no input devices. I remote log into the machine and play my music to hooked up speakers through it.
My question is: while I run my VNC over SSH, and VNC does have a password, is there any earthly reason why I should still retain the screensaver password? Is there any added security whatsoever to having a screen-saver password at this point? As mentioned, I tunnel my VNC through SSH, and so keep VNC closed to the outside world otherwise, the computer has iptables and sites behind a hardware router+firewall. I retain the VNC password *in case* - in case of what, I don't know, since this PC never moves from its location. I should also add that the PC has no battery in it, so if it's unscrewed, it must be unplugged to move it (I suppose you could break into my house with a monitor and keyboard and hook it up - and if something that crazy happens, I'll be concerned about a lot more than the security of the PC). Maybe I've retained that passworded screensaver as a vestiage of the past, since isn't that one of the only things the average computer literate person had for PC security 20 years ago? Maybe it's because I figured if someone got past my SSH, and then past the VNC, they might still be stumped by the screensaver (please don't laugh). Or maybe it's because it gives me some security for my laptop - but the PC about which I ask is a fixed mini-PC tucked away in the house. Anyways, I thought I'd check with the gurus before I banished the screensaver password to a thing of the past. Thanks!!! |
wow, maximum security for a PC to play music.. What kind of music is in there? i'm quite interested... What's your location? hehehe..just kidding...
You can take out the screen saver password, and replace it with a hardware firewall.. for another layer of security..LOL.. PC is behind your home router right? If the PC is not connected to the outside world like, no port forwarding or whatever configuration that you had made so you can connect to it remotely from outside your home..i guess it should be okay. |
I'd tell you about the music, but then... haha. No really, I actually do use it as the target for my main computer's backups as well (haven't made the shift to duplicity yet, but the backup method I use now is encrypted). The computer is behind a router that's also a firewall, and as mentioned, iptables is set up. I keep the machine open to the outside world for remote SSH, as well as VPN. But if you're going to get in, it's not going to be through VNC or anything, it'll be through another port. And then you need the VNC password....
|
Quote:
If you check your firewall logs and i'm quite sure a lot has attempted (but it's normal). Just make sure your password is not easy to guess, and don't open a lot of ports to the outside world to minimize the layer of attack. And of course, nothing is 100% secure once your box is expose to the internet. Uninstall program or stop the services you don't need in your box. If there are programs or services running and can easily be exploited then your firewall and your iptables, your VNC password is basically useless. |
I definitely don't use passwords to gain remote access to my box, that's not sufficient (SSH keyfiles). Of course I only retain open the ports that I need open, e.g., SSH, VPN. I generally scan my ports both internally and externally now and then, and I really don't have many concerns about that so far. I also generally don't install programs I don't need and don't run services that I don't need, either. I try to monitor most logs relatively regularly, or as time permits. I can't say that I've checked my firewall logs recently, I probably should though, but I am sitting behind a software firewall behind a hardware firewall. I do appreciate the response, but I'm not sure it goes to the heart of the issue. The more I think about it, and for the reasons I've laid out, the more I move away from my 1996 home desktop security atttude and towards comfort with disabling the screensaver.
|
well i search google there are tricks actually to bypass the VNC authentication, so i think it would be better to stick with the screen save authentication password.
|
I think it's important to retain the distinction of openning your computer for direct VNC access - i.e., port 5900, and only allowing VNC when it's tunnelled through SSH with port forwarding. The former allows me to connect through VNC to your IP address with, say, Remote Desktop Viewer, e.g., 123.456.789 with VNC port 5900 implied, and connect using the VNC password. This is a very bad idea for several reasons. In addition, because VNC traffic is not in and of itself encrypted, at least that I'm aware, it suggests that once you input the screensaver password, that password's effectiveness is nullified.
If you have disabled firewall access to 5900, though, you can then set up your SSH to tunnel VNC over it. All traffic to VNC is routed internally, and the only port that you keep open to the outside world is your SSH port - whatever you choose it to be. Therefore, you're not connecting VNC--->PC, but SSH--->PC, and in that connection running VNC. So the whole question about VNC password really becomes less important. I still think it's a good idea to retain, though, if in case you make a mistake in your firewall (e.g., software, and then you travel and there's no hardware firewall), breakdown of your system for whatever reason, or pesky kids change your firewall port settings when you're not looking. Just google something like 'ssh tunnel to VNC' and you'll get more information on this. To return to your point about password, the only time you would use a password then would be with SSH, as VNC is tunnelled over it. However, even this is not a good idea, since you should be using keyfiles (and disable password authentication in sshd). |
| All times are GMT -5. The time now is 06:37 AM. |