[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vnc-list
Subject:    RE: Security...
From:       "Coyle, Joe" <jcoyle () wsi ! com>
Date:       2002-05-31 19:26:09
[Download RAW message or body]

People are foolish if they do not use SSH2 tunneling with VNC.  If you want
to employ good security measures then you should only have VNC set to "Allow
Loopback Connections" with "Only Allow Loopback"

SSH2 adds another layer of security and encryption.  Even if you do not
allow VNC connections from the outside world, it is still a good practice on
a LAN or WAN.

SSH2 tunneling only adds a few extra steps to the process.

I also recommend that you do not allow any SSH protocol 1 connections.  This
is very easy to disable on any Unix or Windows type system.  Of course this
means that you need to have an updated SSH2 compliant server installed.

Happy VNCing

  Joe Coyle
  Systems Administrator
  Weather Services International
  978-670-5166



-----Original Message-----
From: Jacob Hoover [mailto:jacob.hoover@marathonelectric.com]
Sent: Friday, May 31, 2002 2:37 PM
To: vnc-list@realvnc.com
Subject: RE: Security...


	I didn't see the post, but VNC only uses the first 
eight characters of any given password.  Working on the 
whole security idea, it wouldn't be that difficult to
modify the server (Win version at least) to automatically
disable itself after a defined number of authentication 
failures.  This would keep out most brute force or word
list hackers, but it would also stop the authorized user
 if the hacker triped the safe guard.

Jacob Hoover


-----Original Message-----
From: Shing-Fat Fred Ma [mailto:fma@doe.carleton.ca]
Sent: Friday, May 31, 2002 1:01 PM
To: vnc-list@realvnc.com
Subject: Re: Security...


TightVNC requires that ssh be installed.  It's a great
package, but security is an issue even with ssh.  It
seems that a malicious person can repeatedly
attempt to connect to the server with new passwords.
Though it doesn't allow more than X number of attempts
(somewher around 5 or 7, I think), it's easy to "reset"
its "memory".  I can't quite remember, but I think I just
tried connecting to a different server to reset the
memory; or perhaps, I tried connecting to the same
serve from another site.  Also, I don't think there was
much delay between failed password attempts.

The feature that prevents more than X attempts,
I'm not sure if it's built into the viewer or the server.
That code is publically accessible.  There was a
recent post that pointed to a security hacker website
showing exactly how the viewer can be modified to
more effectively try connecting to a viewer (I think it
was by trying different passwords).  I believe the
password is only checked for a small number of
characters in any case.

Anyone remember this?

Fred
-------------------------------------------
Fred Ma
Department of Electronics
Carleton University, Mackenzie Building
1125 Colonel By Drive
Ottawa, Ontario
Canada     K1S 5B6
fma@doe.carleton.ca
===========================================
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
http://www.realvnc.com/mailman/listinfo/vnc-list
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic