Configure Linux Server to block unsecured VNC connection
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Configure Linux Server to block unsecured VNC connection
I've been reading some articles on the web about securing VNC connections by tunneling the connection over SSH. However, from the server perspective it will still allow an unsecured connections and you're relying on the client to setup up the SSH tunneling. Is there a way to configure the Linux server to now allow connection over an unsecured channel? Thanks.
If your VNC server supports it (mine doesn't) you could use 'vncserver -localhost'. Else, SPOF-wise good to do regardless, set iptables to block inbound access to the VNC port (range) from -i ethernet device(s).
This sounds like it will block all incoming request regardless of whether they are secure or not. I'm only looking to block unsecured connections. Also what does SPOF stand for?
Your definition of "secure" in this context is "tunneling the connection over SSH", meaning only port TCP/22 and related are seen in flight between client and server. The client connects to the VNC server from the SSH tunnel endpoint which resides on the server. It should be easy for you to verify by doing VNC-over-SSH and check server-side what ports and endpoints are in use for that particular set of connections.
SPOF is the FLA of Single Point of Failure. (FLA being the TLA of Four Letter Acronym).
If you're tunneling through SSH, the incoming connection will be on a user defined port not 5900, as is usual for VNC. SSH will then pass the connection to 5900 internally.
If you have iptables drop all incoming tcp/udp with a source address of anything and destination port of 5900, you will arrive at the following set of circumstances.
1. Any connections coming in to the user defined port using VNC over SSH will be accepted.
2. Any connections just using VNC to the standard port, will be dropped.
3. Any connections to the user defined port, using just VNC will not complete, as SSH will reject them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.