heads up, folks: random vnc (remote desktop) attempts
NoOp
glgxg at sbcglobal.net
Mon Feb 16 20:01:23 UTC 2009
On 02/15/2009 05:08 PM, H.S. wrote:
> Hi,
>
> A few weeks ago I was helping a friend fix a few quirks with his brand
> new machine and Ubuntu install (64 bit, newest version, Jaunty?). So I
> asked him to start his remote desktop (VNC) with no password but which
> required his permission to let a client connect to his desktop.
>
> He forwarded port 5900 on his router to his machine and all worked well.
> I was able to see his desktop successfully.
>
> We did our work and thought nothing about it later.
>
> It turns out that after a few days he noticed some unexplainable IP
> address requesting to see his desktop. He knew it was not me. He
> immediately denied the request and removed the port forwarding on his
> firewall for good measure.
>
> Since then, he just has his SSH port forwarded and I tunnel VNC
> connection through it. This is the most secure way I can think of at
> present to do this.
>
> Lesson: looks like there are rogue attempts to open a vnc connection on
> random IP addresses. This is akin to random attempts at trying to
> connect via the SSH port that many people may have noticed in
> /var/log/auth.log. So folks, just do not setup your remote desktop
> without some sort of security, preferably both password and permission
> prompt.
>
> Regards.
>
As you know by now, 5900 is a well known port that is scanned for
regularly. See some of the previous threads on this, but you can easily
change the port number to make it a little less obvious for script
kiddies etc. if you just need to get in and out briefly.
http://isc.sans.org/port.html?port=5900
More information about the ubuntu-users
mailing list