Xvnc - securing your vncserver
VNC stands for Virtual Network Computing. It is remote control software which allows you to view and interact with one computer (the "server") using a simple program (the "viewer") on another computer anywhere on the Internet. You can learn more here.
Even though VNC is a nice protocol, it posses a security risk for the computers involved, because all the traffic is transfered in plain ASCII, so any sensitive information like passwords, that is transmited can be potentially be picked up by a third party.
An easy way to ensure your info can't be sniffed is to use ssh to tunnel the ports.
Here are the steps to set up your secure vnc server-client protocol:
- First make sure you have everything you need
- On Linux:
Most distributions have OpenSSH and Xvnc built in, and easy way to check is to type "ssh -V" and "Xvnc -help". If any of this fail, you need to download and install them. If your are running Fedora or RedHat, just type in your shell
$> up2date vnc-server vnc openssh-server openssh-client
If you run a different distribution you can get the package RealVNC or TightVNC.
- On Windowz:
You can get a nice OpenSSH distribuion for windows here and on for this platform I recommend to install RealVNC.
- On MacOS X:
SSH is built in as in Linux, so you only have to activate it by going to the sharing section of your Systems Preferences Interface
the vnc server for Mac OS X is called OSXVnc.
- Restrict your VNC daemon to listen only for local connections, this will stop anyone trying to connect to your machine through this port.
- On Linux:
An easy way to do this is to edit your vncserver script. It will be located on /usr/bin/vncserver. Just edit the file and add the line
$cmd .= " -localhost";
after the line
$cmd = "Xvnc :$displayNumber";
This will force the vnc servers you create fron now on to only listen for local connections.
- On Windowz:
Activate the Firewall for your network connection and allow only incoming communications through port 22. If you don't know how to do this, type "Firewall" on your windowz help.
- On MacOS X:
Open the OSXVnc manager and on the sharing secion select "Only allow local connections". Note: You can make OSXVnc an start up service.
- Turn on the deamons: In your server start a vncserver sesion and make sure ssh is running both in your server as in your client.
- On your client start an ssh tunnel between the ports you want to communicate:
- On Linux:
Open a terminal and type:
$> sudo ssh -L 59DD:localhost:59DD -l user yyy.yyy.yyy.yyy
where DD is the vnc display you want to connect to, and yyy.yyy.yyy.yyy is the server IP.
- On Windowz:
Open an ssh tunnel, this depends on your ssh client. If you are using Secure Shell™ just go to profile settings and create an outgoing port
If you are using OpenSSH for windows, on the command prompt type:
c:\>
ssh -L 59DD:localhost:59DD -l user yyy.yyy.yyy.yyy
where DD is the vnc display you want to connect to, and yyy.yyy.yyy.yyy is the server IP. Note: make sure that "C:\Program Files\OpenSSH\bin" is in your PATH.
- On MacOS X:
Same as in Linux. Note: Due to a bug on the latest release of MAc OS X (Panther) use 127.0.0.1 instead of localhost, like this:
$> sudo ssh -L 59DD:127.0.0.1:59DD -l user yyy.yyy.yyy.yyy
more about this issue here.
- On your client start an ssh tunnel between the ports you want to communicate:
- On Linux:
Finally in another terminal type:
$> vncviewer localhost:DD
where DD is the display you want to connect to
- On Windowz:
Open the vncviewer and type localhost:DD. Where DD is the display you want to connect to
- On MacOS X:
Same as in Linux. Get the VNC viewer for Mac OS X here.
- It must be working by now. Here is a screenshot of a client running on windowz connected to a server running on Linux and at the same time, a client in that linux machine connected to a server on the original windows machine (ah!).
|
