On 2014/10/17 14:38, Daniel P. Berrange wrote: > On Fri, Oct 17, 2014 at 02:34:07PM +0800, Gonglei wrote: >> On 2014/10/16 18:46, Gerd Hoffmann wrote: >> >>> Hi, >>> >>>>> I try to prevent that by dropping the *oldest* connection, so you have a >>>>> chance to connect even if a unprivileged attacker tries to use up all >>>>> connection slots. >>>> >>>> Lets say the limit is 5. The bad guy has 5 open idle connections. >>>> The good guy opens a new one and pushes off one of the bad guy's >>>> connections. Fine so far. The bad guy though can simply open 5 more >>>> connections and he'll push the good guy's connection off again. >>> >>> Correct. It can't fully prevent the attack, but makes it harder to pull >>> off. Just having $limit idle connects isn't enough any more, the bad >>> guy has to constantly bomb qemu with vnc connect requests, hoping this >>> kicks out the good guy before it managed to authenticate. The chances >>> for the good guy are a bit better and it is also more likely that the >>> attack sets off alarms in network monitoring. >>> >> >> Hi, >> >> Happy that I don't miss this patch series and conversation. >> I have a approach to prevent the brute force attack (which >> had been tested in my team). Firstly, we must set password for >> vnc server for security. Secondly, the DoS may bomb qemu >> with vnc connect requests, trying to decrypt password at present. > > Note that VNC passwords offer no meaningful level of security. >
Encryption algorithms? > If you want security for VNC you must *always* use the TLS extension > or the SASL extension, or both. These offer proven cryptographically > strong authentication protocols. > >> If we set the max trying times, and then >> There are some concepts: >> - INTERVAL_TIME: a time window that user can connect vnc server >> - REJECT_TIME: the time of reject any connection >> - MAX_TRY_TIMES: the times that user can connect vnc server in >> INTERVAL_TIME, >> if attach the MAX_TRY_TIMES, the server will lock, any user can not >> connect again >> before REJECT_TIME attached. The old connected client will not be >> influenced. > > How are you defining "user" in this description. Do you mean "Source IP > address" > here ? Or any client connection ? Or something else ? > I mean "any client connection". :) Best regards, -Gonglei
