Re: [tlug] VNC and security

[Scott Robbins <scottro@example.com>]

On Wed, Dec 20, 2006 at 05:35:32PM +0900, Dave M G wrote:
> Scott, Stephen, Edward,
> 
> Thank you for your replies.

You're welcome.  :)


> 
> What I've done is change my Router and Firestarter firewall to use a 
> non-standard port for VNC connections. Security through obscurity. And of 
> course I have my VNC server password protected.
> 
> Next I wanted to set up SSH port forwarding. I think I have set it up with the 
> potential to work, but because of my limited understanding, I'm not using it 
> right. I'm hoping the kind folks at TLUG will nudge me in the right direction 
> in the places I've deviated.
> 
> 
> On the Windows side, I fire up Putty, and log into my Ubuntu machine on port 
> 8443. I log in successfully, my "fingerprint" matches. It all looks good, and I 
> see a command prompt.

You just blew the security by obscurity.  :)  Change the port now.  

(Not that much of a major issue, though I wouldn't put the port on a
publicly accessible mailing list--the main thing though is avoid
automated ssh probes.)


> 
> But, then, this is where I think I'm missing something about the concept. I 
> start up the VNC viewer, type in my Ubuntu machine's IP address and VNC port, 
> and attempt to log in. It says "connection refused".
> 
> First, I don't understand how having the SSH connection up is controlling or 
> affecting the VNC viewer.

I don't either.  VNC should be listening on whatever port you've
determined, lets say port 5555.  As I use BSD's packet filter, I'm not
sure what you would want to do, but, let's say I was using port 5555 for
VNC, my firewall rule (remember--different syntax, but just to give you
the idea)

I've already given port 555 the variable name vnc so my rule would be
pass in quick proto tcp from any to port $vnc keep state

On the Linksys router, (I don't know what router you use, or if you do)
in their port forwarding, I would have

port 5555 To 5555  and check off tcp and then have the machine's IP
address--that is, if this machine has a static IP in my internal network
of 192.168.1.55, in the Linksys forwarding section, I would put in
192.168.1.55 for the forwarding address.  

This works for me on FreeBSD.  

I'm assuming the obvious, that when you set up VNC server you set up a
password and that you're definitely not mistyping the password.  I don't
know if you tested VNC server on your internal network first, which is
always a good thing to do.  
> 
It shouldn't have anything to do with the ssh connection.  They're
really two separate things (as Stephen stated, my first reply on this
thread should have not even mentioned that part).  The ssh connection is
just getting you in to start up VNC.


Hope some of this gives you hints, if nothing else.  My guess is the
firewall, but it's only a guess, assuming you've set up forwarding for
the VNC port.


-- 

Scott Robbins

PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Joyce: You belong in a good old fashioned college with keg 
parties and boys. Not here with Hellmouths and vampires. 
Buffy: Not really seeing the distinction.