I'm a newbie to VNC and must say this is awesome. However, I would like to secure UltraVNC. I use a secure password and use the encryption plugin.
I tried searching on the forum and on the net for how to secure UltraVNC. I came up with a a few dead links to a pdf file in Dec 2003 and a post on this forum. I am surprised there isn't a tutorial on this already.
Anyone help me suggest how to secure UltraVNC? That would be much appreciated!!!
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Securing UltraVNC
-
leesiulung
- Posts: 7
- Joined: 2005-08-28 06:31
I already use encryption as mentioned in my first post. I was referring to any other way I can harden the security to prevent people from breaking in.redge wrote:[topic=3049][/topic]
[topic=648][/topic]
[topic=3278][/topic]
For instance,
1. Is there a way to set a maximum of 3 attempts of login on any account.
2. Change port numbers to something less obvious it is VNC.
etc... as we all know any open port is a possible security breach. Maybe there is a way to inject some code... what can be done to further prevent or make it harder for all these types of attacks.
If VNC is breached the whole computer could possible be taken over. I take this quite seriously.
Anyhow, redge thanks for the reply.
Last edited by leesiulung on 2005-08-29 03:01, edited 1 time in total.
I can probably help a little but I'd need to know a little more about your setup.
Are you accessing UltraVNC over the Internet? You DO have a firewall, don't you? Do you always access your machine from the same Internet address, or does that change a lot.
Before they can even attempt logging in 3 times, they've got to have your encryption key. As long as you keep that secure they can't even connect.
UltraVNC does write some info into the EventLog. Might want to take a look there.
There are some additional ways to restrict access, but it really depends on your setup and where you access your machine from.
Sean
Are you accessing UltraVNC over the Internet? You DO have a firewall, don't you? Do you always access your machine from the same Internet address, or does that change a lot.
Before they can even attempt logging in 3 times, they've got to have your encryption key. As long as you keep that secure they can't even connect.
UltraVNC does write some info into the EventLog. Might want to take a look there.
There are some additional ways to restrict access, but it really depends on your setup and where you access your machine from.
Sean
-
leesiulung
- Posts: 7
- Joined: 2005-08-28 06:31
Sean (scovel),
thanks for the reply.
I have a dynamic IP and intend to connect over the internet with free service from dyndns.org. I do have a firewall and periodically update windows frequently.
I would like as secure connection as I can get. I don't mind hard setup or inconveniences when connecting. In addition, I want to hide the fact that I run VNC if possible. I don't know if port scanning can reveal that I run VNC.
In advance thanks.
-leesiulung
thanks for the reply.
I have a dynamic IP and intend to connect over the internet with free service from dyndns.org. I do have a firewall and periodically update windows frequently.
I would like as secure connection as I can get. I don't mind hard setup or inconveniences when connecting. In addition, I want to hide the fact that I run VNC if possible. I don't know if port scanning can reveal that I run VNC.
In advance thanks.
-leesiulung
Detecting that VNC is running doesn't get a hacker much. Older versions of VNC (ALL older versions, Ultra, AT&T, REAL, Tight) were pretty weak. 8 character passwords, unlimited password attempts, weak encryption.
Newer versions still have 8 character passwords but do some connection throttling and timeouts on connection attempts. Encryption (VNC Password encryption) is still weak. They do slow down the cracker attempts thought.
MSRC4 plugin had a minor issue, it always started the VNC handshake with the same pseudo-random sequence, making is possible to detect that it was a VNC connection. Again, doesn't get you much though. You have to crack the 128 Bit encryption to be able to do anything with it.
With the new Beta (almost production!) plugins its VERY difficult to tell what is running on the port. Sure, port 5900 is typically used by VNC, but the encryption is now more completely random. Could be any encrypted traffic. You could change the port, but that won't gain you anything. Port-scanners won't be able to tell you what is on the port. They might assume its VNC since its 5900, but it will be a guess.
So, to crack your machine they need your key file. IF they got that they'd still need your 8 character password. Pretty unlikely they would get both unless you are really careless.
What else can you do? The rest is really up to your firewall. Personally I only allow certain IP addresses to access port 5900 on my firewall. Port scanners won't even see the port as open unless they are using one of those IP addresses. Since I know the IP addresses in advance I can set those up before I leave the house.
That's all I can think of at the moment. That should give you some things to think about.
Sean
Newer versions still have 8 character passwords but do some connection throttling and timeouts on connection attempts. Encryption (VNC Password encryption) is still weak. They do slow down the cracker attempts thought.
MSRC4 plugin had a minor issue, it always started the VNC handshake with the same pseudo-random sequence, making is possible to detect that it was a VNC connection. Again, doesn't get you much though. You have to crack the 128 Bit encryption to be able to do anything with it.
With the new Beta (almost production!) plugins its VERY difficult to tell what is running on the port. Sure, port 5900 is typically used by VNC, but the encryption is now more completely random. Could be any encrypted traffic. You could change the port, but that won't gain you anything. Port-scanners won't be able to tell you what is on the port. They might assume its VNC since its 5900, but it will be a guess.
So, to crack your machine they need your key file. IF they got that they'd still need your 8 character password. Pretty unlikely they would get both unless you are really careless.
What else can you do? The rest is really up to your firewall. Personally I only allow certain IP addresses to access port 5900 on my firewall. Port scanners won't even see the port as open unless they are using one of those IP addresses. Since I know the IP addresses in advance I can set those up before I leave the house.
That's all I can think of at the moment. That should give you some things to think about.
Sean
-
leesiulung
- Posts: 7
- Joined: 2005-08-28 06:31