Home page logo

basics logo Security Basics mailing list archives

From: Glen Mehn <glen () myvest com>
Date: Fri, 31 Jan 2003 10:47:24 -0800

Megan Golding wrote:

On Wed, 2003-01-29 at 13:08, Marty wrote:
My question is simple is the latest version of VNC better than the
previous ones and should we allow our tech group to use it to take
control of our machines (servers and workstations)...

I highly suggest running VNC over an SSH tunnel -- it doesn't noticeably
degrade VNC performance and adds the security element VNC seems lacking.

When run this way, VNC is no riskier than SSH...in which case I would
have no problem with a tech group using it for remote administration.

Well, enforcing the VNC-over-ssh with port filtering would definitely fit the bill, IMO, but that adds a (small) layer of work on top of it. The issues with VNC seem to mostly be:

--trivially encoded passwords, with a well-known/reversible hash and salt
--the simple ability to brute-force the password

In investigating VNC, I also found that you can (somewhat) mitigate the latter problem by enforcing a "lockout after $num failed attempts.


Glen Mehn               glen () myvest com
Systems Administrator   MyVest, LLC

  By Date           By Thread  

Current thread:
  • Re: VNC Glen Mehn (Feb 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]