VNC security

Printable View

May 26th, 2002, 05:38 PM
slarty

VNC security

I realise quite a lot of people use VNC, quite often on internet-connected systems.

1. Is there any theoretical barrier to a VNC password being brute-forced reasonably easily / quickly?

2. Is there any logging in VNC servers for incorrect passwords.

3. Does the IP of connections get logged?

It strikes me that although VNC uses a (fairly) strong password authentication scheme itself, there are no mechanisms to prevent brute-forcing.

Also as VNC has no usernames, forcing VNC passwords only is required, as there is not a username required.

If these things are true, should we not petition [i.e. make] for a stronger version of VNC?

PS: Don't flame me for putting this in *NIX, I realise VNC works on non-UNIX systems too, but there isn't a "Platform independent security discussions" forum.
May 26th, 2002, 06:43 PM
Tedob1

vnc wasnt designed for an environment where high security is an issue. it was originally made by the people at bell labs for use amoung them selves on their own network. it worked wel an they decided to share it.
their is a brute force tool made just for those who are foolis enough to use vnc in an untrusted environment
ive heard you can use vnc in conjunction with ssh although i havn't had cause to find out more about this.
May 26th, 2002, 07:45 PM
ammo

vnc with ssh... yup: (http://www.uk.research.att.com/vnc/sshvnc.html)
Basically, you setup your vnc server to bind to localhost, then setup your ssh client to tunnel the vnc port to the remote host...

This pretty much gives you all the advantages of ssh security while enjoying your vnc gui...

Ammo
May 26th, 2002, 08:08 PM
slarty

Ok, so the thing to do is to run vnc binding only to localhost, then ssh in and tunnel the ports.

What about Windows Users?

Many sysadmins of NT4 etc use VNC as an alternative to the many commercial remote control products (notably PCAnywhere) - this isn't as much of an issue with Win2k as win2k server ships with terminal server which is quite effective.
May 26th, 2002, 10:14 PM
Tedob1

if a company can afford the licensing for NT they afford a license for pcAnywhre. if they try to get away cheap, what happens after that is nobodys fault but their own. i use vnc behind a firewall and pcanywhere listening on a modem to call in from home.
May 26th, 2002, 10:17 PM
Guus

Slarty, you just beat me to the punch. Last week, as a result of pure boredom, I started experimenting a bit with vnc (in particular the latest build available for win32 platforms, 3.3.3r9). Since I didn't complete anything yet, I didn't share anything - but I'm planning to do so in the near future. For now, this is what I found as an answer on your questions:

Is there any theoretical barrier to a VNC password being brute-forced reasonably easily / quickly?
I've been coding in an attempt to do just this, but so far I'm only able to try one password in about 10 seconds - this is probably just because I'm a lousy programmer, but I did find an security message saying 'too many succesive tries.' I'm getting another messege, however, so I don't yet know if the restriction is actually in the program.

Is there any logging in VNC servers for incorrect passwords. / Does the IP of connections get logged?
No, there's no logging whatsoever.

Quote:

It strikes me that although VNC uses a (fairly) strong password authentication scheme itself (...)

Partially true. The old RFB-protocol that VNC uses does use a DES-like encryption, but it is limited to 8 character password. All characters after the 8th are not used. This means that if you set the password "thisisaverylongpassword", you can use just "thisisav" to connect to the server.