Re: heads up, folks: random vnc (remote desktop) attempts



On 02/15/2009 05:08 PM, H.S. wrote:
Hi,

A few weeks ago I was helping a friend fix a few quirks with his brand
new machine and Ubuntu install (64 bit, newest version, Jaunty?). So I
asked him to start his remote desktop (VNC) with no password but which
required his permission to let a client connect to his desktop.

He forwarded port 5900 on his router to his machine and all worked well.
I was able to see his desktop successfully.

We did our work and thought nothing about it later.

It turns out that after a few days he noticed some unexplainable IP
address requesting to see his desktop. He knew it was not me. He
immediately denied the request and removed the port forwarding on his
firewall for good measure.

Since then, he just has his SSH port forwarded and I tunnel VNC
connection through it. This is the most secure way I can think of at
present to do this.

Lesson: looks like there are rogue attempts to open a vnc connection on
random IP addresses. This is akin to random attempts at trying to
connect via the SSH port that many people may have noticed in
/var/log/auth.log. So folks, just do not setup your remote desktop
without some sort of security, preferably both password and permission
prompt.

Regards.


As you know by now, 5900 is a well known port that is scanned for
regularly. See some of the previous threads on this, but you can easily
change the port number to make it a little less obvious for script
kiddies etc. if you just need to get in and out briefly.

http://isc.sans.org/port.html?port=5900



--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users