LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-09-2016, 04:04 PM   #1
Mike_Jr
LQ Newbie
 
Registered: Jun 2016
Posts: 4

Rep: Reputation: Disabled
Question Possible attack against VNC Server


Hello,
I am new here and it is my first post so I hope I am not doing anything wrong, however i need a little help.

recently I started to have some problems with my linux machine. So i have this Linux Vps machine with vnc server installed and I just connect to it by using VNC viewer.

recently the vnc viewer started to give me some errors such as vnc too many security failures or Authentication failed etc ...

I used ssh and checked the log on the linux machine and it shows logs like:

Thu Jun 9 22:35:43 2016 Connections: accepted: 0.0.0.0::59748 SConnection: Client needs protocol version 3.3

Thu Jun 9 22:35:44 2016 SConnection: AuthFailureException: Authentication failure Connections: closed: 0.0.0.0::59748 (Authentication failure)

Thu Jun 9 22:41:31 2016 Connections: accepted: 0.0.0.0::57806 SConnection: Client needs protocol version 3.3 SConnection: AuthFailureException: Authentication failure Connections: closed: 0.0.0.0::57806 (Authentication failure)

and as a result, vnc server is black listing those connections and to my surprise it is resulting in preventing me from accessing the machine eventually ( i have no idea why i get blacklisted or why i cannot log anymore )

I am just restarting the vnc server which is allowing me to log in again using vnc viewer.

is this a possible attack? any thoughts on how to prevent such a scenario.

Many thanks in advance.
 
Old 06-09-2016, 04:26 PM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Welcome to LQ!
Have a look at http://www.serverwatch.com/server-tu...-with-ssh.html
http://www.techrepublic.com/article/...hen-using-vnc/
http://www.dslreports.com/forum/r277...-and-port-5900
and be sure to ask if you have any further questions.
 
1 members found this post helpful.
Old 06-10-2016, 12:39 AM   #3
Mike_Jr
LQ Newbie
 
Registered: Jun 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Many thanks Habitual
I am aware of how to secure VNC with ssh tunneling etc, however that's not my problem.
The problem is and as I mentioned in the above post and also up to my understanding, many connections are trying to connect to the VNC server, can I call it flooding the server ? and whats happening
is that the vnc server log is showing something like this at first:
Thu Jun 9 22:35:44 2016 SConnection: AuthFailureException: Authentication failure Connections: closed: 0.0.0.0::59748 (Authentication failure)

and then (I am checking the log throughout ssh):
Fri Jun 10 06:55:03 2016
Connections: blacklisted: 0.0.0.0
Fri Jun 10 07:00:11 2016
Connections: blacklisted: 0.0.0.0
Fri Jun 10 07:05:19 2016
Connections: blacklisted: 0.0.0.0

after its doing this blacklisting, I lose the ability of logging to my machine, I think it is just blocking everything
The viewer just says: Too many security failures .

anyone experienced something like this before ?
 
Old 06-10-2016, 12:42 AM   #4
Mike_Jr
LQ Newbie
 
Registered: Jun 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
for now I will just start vncserver when I use my machine and once I am done I will shut it down.
any other ideas maybe?
 
Old 06-10-2016, 04:51 AM   #5
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,236

Rep: Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451
using vnc over ssh will solve this issue (probably you can add a firewall rule to make it even better)
 
Old 06-10-2016, 05:27 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,511
Blog Entries: 3

Rep: Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773Reputation: 2773
How is VNC set up on your machine? Is it set to only allow connections from the localhost, and thus tunnel over SSH? Otherwise, in general, if VNC is available to the Internet it will get cracked.
 
1 members found this post helpful.
Old 06-10-2016, 06:51 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Well, for example, I use OpenVPN with TLS security installed ... so a client must have a unique certificate even to cause OpenVPN to respond. (If you don't have it, it just silently drops the packet.) Security is managed through certificates, not pre-shared keys (passwords). Basically, "a smooth, featureless wall," unless you possess the necessary credentials.

Once you gain access, you can use VNC and so-forth. Every one of you are uniquely identified by the certificate, issued by me, which only you possess. The server will not allow the same certificate to be used more than once simultaneously, so you might have as many as three: one for your desktop, one for your laptop, one for your smart phone.

And a critical feature of VPN, versus SSH tunneling, is that it is transparent to the end-users and requires no special action on anyone's part. The secured network is "just there," and VPN assures that all of the traffic is encrypted. This removes "the human element," which is where exploitable lapses in security most-naturally come from.

Last edited by sundialsvcs; 06-10-2016 at 06:53 AM.
 
1 members found this post helpful.
Old 06-10-2016, 08:42 AM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Not sure I can help.
Without any notable details, we can only guess.
I access remote machines every day without a "vnc server".
I don't open unnecessary ports without first examining the impact on Security.

Perhaps you should whitelist your IP for this "vnc server"?
Perhaps you should close the "vnc server" port to everyone but yourself?
Perhaps you don't need a "vnc server" (who uses a desktop on a remote VPS?)
That is what you are doing, yes?
 
Old 06-10-2016, 01:52 PM   #9
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Mike_Jr View Post
for now I will just start vncserver when I use my machine and once I am done I will shut it down.
any other ideas maybe?
That perhaps is the easiest.
 
Old 06-10-2016, 02:36 PM   #10
biosboy4
Member
 
Registered: Aug 2015
Distribution: *DEB, Centos, NXOS
Posts: 242

Rep: Reputation: 38
Quote:
in general, if VNC is available to the Internet it will get cracked.
^ This is an important note when dealing with VNC. There are lots of popular hacks for it.
 
Old 06-11-2016, 03:17 AM   #11
Mike_Jr
LQ Newbie
 
Registered: Jun 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Many many thanks guys, I am sorry if my post was confusing or lacked information, but really your inputs have been very valuable to me and provided me with lots of ideas.

@Habitual: Many thanks, your links and input guided me to the solution of my problem and to examine the open ports on the machine.

@Turbocapitalist: Your answer was concise but really guided me to my problem, yes I am using a tunnel over SSH but VNC is set to allow connections from everywhere, I fixed it and set it to only accept connections from localhost (-localhost) and I tried with different viewers and they are all blocked except for the tunneled one, which what i really want to achieve.

@sundialsvcs: That is brilliant, I will definitely try that.

@biosboy & @pan64: thanks a lot for your comments.

Much appreciated guys.
 
Old 06-11-2016, 05:55 AM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Mike_Jr View Post
@Habitual: Many thanks, your links and input guided me to the solution of my problem and to examine the open ports on the machine.
Glad you found a solution!
 
Old 06-11-2016, 11:10 AM   #13
biosboy4
Member
 
Registered: Aug 2015
Distribution: *DEB, Centos, NXOS
Posts: 242

Rep: Reputation: 38
Possible attack against VNC Server

something like openvpn (or even ipsec vpns/the like.) is really great to access rdp/vnc networks if you ever decide to open up multiple machines to a centralized location.

If you can figure out which internal address the VPN gives you and statically assign it to say your domain account, you could set vnc to only listen for that.

hmm.. can vnc be set to listen for host names? I'm fairly certain those are static through most tunnels that I know of.

food for thought..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vnc server launched via ssh = gray screen. Local terminal vnc = ok link626 Linux - Newbie 1 09-15-2015 02:57 PM
VNC viewer showing black screen. unable to connect VNC server remotely on the server? cyberdome Linux - Server 1 08-01-2014 08:21 AM
Issue with vnc server "tightVNC: VNC server closed connection", due to Screensaver frenchn00b General 1 07-30-2009 06:55 AM
windows vnc client and linux vnc server problem tungaw2001 Linux - Software 8 06-17-2006 12:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration