VNC and security

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
I've got my old and new computer under my desk. Both are hooked into my flat panel: my new computer into the digital port and the old into the analog. By hitting the input button on the monitor I can flip between computers, but I still have to unplug/plug my keyboard and mouse. Instead, I want to run VNC. I installed TightVNC, since that's what I'm used to at school. But I heard that UltraVNC is pretty slick on Windows, and so far I have to agree. I want to set up some basic security, and I thought it would make sense to have my router make sure that only local computers can use the ports used by UltraVNC. Does anybody know how to do this on a Linksys BEFW11? Is this the private filtered port range? I'd like to be able to specify that only my IP address can access to the UltraVNC server, but I'm not sure that's possible. Any other security suggestions? Since I'm doing all of this from within my LAN and I feel no need to run VNC outside my LAN, should I bother with SSH and other such encryptions?

Thanks,
Adcadet
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,358
Location
Gold Coast Hinterland, Australia
You don't have to do anything, if you're only using VNC on the LAN only...

Unless your router is set to forward all packets to the server, then you have nothing to worry about, else just set up a filter on the router to block all traffic on ports 5900-6000 (TCP/UDP) going to the server.
 

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,709
Location
Left Coast
Unless someone breaks into your LAN, I don't see a point. And if someone does that, you have bigger issues.
 

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
Well....I do have a wireless router. Perhaps I should take another look at wireless security. Anybody know a good primer?
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,742
Location
Horsens, Denmark
Just do MAC filtering. It's pretty tricky to bypass and keeps the easy ones out. Mainly it let's you use any OS or other device without hassle.
 

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,709
Location
Left Coast
MAC address filtering is actually pretty easy to bypass; but, once you've spoofed an authorised user's address, that computer get connectivity issues with the access point. It'll be obvious that something is going on.

Wireless security is a different question, but my theory is that more is better. You can't make it impossible for someone to break into your wireless network, but you can make it not worthwhile.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,742
Location
Horsens, Denmark
Not worthwhile is a subjective thing. There are at least 2 completely unsecured APs around me, if I have any security at all than no-one will bother.

If I was the only AP around, I'd be more worried.
 

Adcadet

Storage Freak
Joined
Jan 14, 2002
Messages
1,861
Location
44.8, -91.5
Already doing MAC filtering, and there's probably 20 APs within a block of me, and at least a few are unsecured. In fact, I can see a weak signal from an unsecured AP from most of my appartment.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
I can "borrow" 802.11G to cable internet connections from SIX of my neighbors from anyplace in my apartment. Some day I plan to build a machine to aggregate all of those into one conduit for my personal torrenting needs. ;)

MAC filtering is trivial, TRIVIAL to walk around, particularly on a Linux system.

WPA or WPA2 are a decent start.
802.11A is a lot safer simply because its range is fairly low and 5.8GHz signals aren't likely to penetrate an exterior wall.

And if you're really worried, you can always force all your traffic through an SSH tunnel or some other VPN.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
I figure WPA2 with a 63byte AES pass phrase constructed of random(ish) junk with mac filtering is secure enough for my needs, and fairly trivial to implement and connect to (on a PC anyway where you can transfer the pass phrase on a usb key, it's kind of a bitch to punch into a Wii with a Wii remote).

If you want to specify just one IP address to connect to the VNC server then you can set a rule in IPTables. Typically you would do this by setting the default rule to drop all packets from anywhere, and then setting rules to accept just the packets you want (in your case probably just everything from the machine in question and maybe some specific ports from anyone on the local net for any file sharing and such). If you don't use a heap of ports or don't use access the Linux box from many machines then this probably isn't too paranoid a solution. It's certainly a good learning experience figuring out how IPTables works even if your not terribly likely to really need it.

If you really want to make your VNCing secure you could configure the VNC server to only start on the localhost and use an ssh tunnel to forward the port to your local machine when you want to use it (putty allows you to do this fairly easily but Cygwins ssh client allows much easier scripting). I used to do this with my linux router to hook in from work. I just set up a script that forwarded the port and started the VNC server (I was VNCing into a running X session to check on downloads so it was better not to leave the server running) then I could just hook in with a VNC client on my work machine and start any torrents I wanted done by the time I got home.
That's kind of overkill for home network security but it's another handy technology to be able to use easily.
 
Top