Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm setting up a Linux Mint XFCE 16 computer for my grandmother and I need to be able to support her remotely. My original plan was to set up a SSH tunnel and then run VNC through that. However, as I was doing some reading on x11vnc, I see that you can set it to use SSL to encrypt the traffic.
Would I be better off just using x11vnc with the SSL, or should I skip that and rely on my SSH tunnel for securely running VNC? The SSL option is easier, but I want to make sure I'm using the most secure method.
Both are secure, although, when exposing the vnc port, it could be vulnerable for hacking and the vnc service is affected directly.
If ssh is exposed, it should be hacked first before they would have to reach the vnc.. it's like some sort of stepping stone to get to vnc (and any other service needed).
IMHO the ssh+tunnel would be the better choice, but SSL itself is also a good choice (if encrypting in-transit data is your goal).
Id' VERY strongly suggest you do neither and use the free client available at nomachine.org. It naturally tunnels over ssh by default, and starts up via ssh on demand, so no extra services need to always run other than ssh itself.
rhoekstra, I want to make sure the in-transit data is encrypted, but I also want to do the best I can to lock down her computer so nobody but me can get into VNC. Maybe I should stick with SSH.
acid_kewpie, are there benefits to using the nomachine.org client besides convenience? I've already got SSH working with private/public keys and VNC is working too. I have to have this done by Saturday, so is it worth throwing all that out and starting over with nomachine?
I hope you've found a proper solution to this already, as it is Monday now...
In my opinion, SSH + [any protocol] tunneled is a very safe method. If you use Fail2ban to limit the amount of failed logon attempts before an IP gets a temporary ban, you're quite on the safe side, while very flexible. you don't have to open up additional ports besides SSH (single point of entrance) and have a proper way of deterring scriptkiddies.
While nomachines.org seems a very smooth and nice solution, it's not installed that easy once you are familiar with SSH, VNC, and port forwarding, IMHO. It's worth checking out though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.