Some quick feedback to the security-conscious hyperbole about VNC that's flown across the list recently. In my experience, it's not exactly true that VNC has "very little" in the way of security. Some features it has (and I've used):
1. Via AuthHosts, you can specify which IP addresses are allowed and not allowed to connect. 2. Via QuerySetting, you can require that explicit permission be granted by someone sitting in front of the server for every connection attempt that passes AuthHosts. 3. Unlike telnet and others, the connection password is not sent entirely in clear text. 4. Once a user does connect, they have the exact same permissions that the currently-logged-in user on the server has. If you run the VNC server while logged in as "guest", then you're visiting VNC connections are "guest" as well. Not "admin". 5. Finally, AFAIK, there are no buffer overflow vulnerabilities to the VNC service. PCAnywhere, Citrix MetaFrame, WinXP TermServ can say the same thing, sure, but the comfort of open-source community review in this case... I *of course* agree that tunneling VNC through SSH is much more secure than running naked VNC. However, there are good and worthwhile steps a new VNC user can take to create security layers *before* they add the SSH finishing touch. Is my point. Furthermore, at the end of the day, it *is* a remote-control application after all: any successful connection gets remote access to the server. I think this, to some degree, makes VNC *appear* to be less secure than, say, running a web-service. That is, the worst case scenario of running any service behind your firewall is that a black-hat could exploit it to get VNC-like access to one of your machines. With VNC on the other hand, installed without any precautions, a black-hat is just one password away from exactly that. With precautions, though, I'd argue you're in better shape that someone using an IE browser with ActiveX enabled. Anyhow, just my opinion; I'm just one for keeping the baby after the bath. :) cheers, Scott > "Henning, Brian" <[EMAIL PROTECTED]> wrote: > > My disclaimer: I have not done this but I can give you some tips. I am > concerned about the current security of your vnc configuration. > > > Hello- > > I am using LEAF with the echowall firewall package on a pentium 1. This > > router/firewall serves my two windows machines. I set up echowall to access > > a vnc server on one of my local machines but, > > > vnc is not a secure protocol. If I am reading what you said correctly, > then you have introduced significate security concerns for your windows > PC. Bad people will want to abuse you. Please see > http://www.uk.research.att.com/vnc/faq.html#q52. It also talks about > some of the ports to forward. See also > http://www.uk.research.att.com/vnc/faq.html#q53. > > > >I am not sure how set up the > > router/firewall to allow vnc to be accessable on multiple local machines. I > > am pretty sure I have to have separate ports for each, but I am not sure how > http://www.uk.research.att.com/vnc/faq.html#q55 > http://www.uk.research.att.com/vnc/sshvnc.html > > > > I go about the setup. Can anyone give me a hand? Thanks! > > > > For your safety, please stop what you are doing now. I would recommend > setting up secure shell port on port 22 and, say, port 23 of your > firewall. You will need to locate the latest secure ssh package, there > is a bug. Pick port 22 and portforward it to one windows PC. Map port > 22 to one of the 5900 VNC ports. Pick port 23 and portforward it to the > other windows PC. Likewise, map port 23 to one of the 590x VNC ports. > Depending on your source machine, you may need to setup putty or ssh > there. Then you might do something like this ssh -L 5902:myfirewall:5901 > myfirewall Read http://www.uk.research.att.com/vnc/sshvnc.html and look > at the pictures. Give yourself sometime to comprehend what is being > said. > > I hope this gets you pointed in the right direction. By the way did I > tell you that I was concerned about the security of your current > configuration? > > Greg _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user