Available Feeds:
Writings
Comments

Securing VNC over Internet

May 25th, 2007 by Ben Jim

vnc.jpgContinuing CK’s article on VNC where he left off, here’s the VNC-over-Internet remote administration version of the guide. The first part of the tutorial is the setting-up of VNC-over-internet and the second part deals with hardening your VNC in regards to security best-practices. This article is gonna be a long one, so take a deep breath and let’s go!

Part One
By now you should have VNC installed and you’d be able to connect via LAN. Make sure you register the VNC Server as a system service if you want it to run automatically on Windows start-up.

Now lets expand this control over the Internet. To control your PC over Internet you’ll have to;

1) Know your IP address. If you’re on a static IP then all’s well, if you’re given a dynamic IP by your ISP then you will need;
a) take note of your IP whenever you leave home.
b) register with any of the numerous free dynamic DNS services. What this service does is offer a service to keep a domain name linked to a changing IP address on those who are on dynamic IPs via a dynamic update client that runs on your local computer and updates the dynamic DNS service site. Logging into the site will give you your ip.

2) Permit traffic on the SSH port 22 on the server (the pc you want to control) and if you’re on a router you need to port forward the VNC traffic to your server in which VNC Server is listening. How this is done depends on which firewall and/or router you are using. eg. in Windows XP SP2’s Firewall, go to Start | Control Panel | Windows Firewall | Exceptions tab | Add port | port name SSH, port 22, TCP.

sp2-firewall-open-port-22.jpg

If you’re behind a router or your bridge-modem is in router mode, you’ll need to forward TCP port 22 to the server. This means that any traffic coming in through port 22 (the SSH port) will be passed through the router and directed to the server. Here’s a useful site detailing on how to port forward on popular routers.

am300-port-forwarding-22.JPG

This is what port forwarding looks like on my Linksys AM300 modem/router.

Part Two
Because access to a VNC Server allows access to your whole computer, security is of upmost important. VNC is inherently unsecure, thus the need to encrypt the traffic moving between both machines (client and server) as encryption in VNC is only used when the initial connection (when you login). Once connected, all VNC data is unencrypted, and a malicious user could snoop your VNC session with a number of scanning programs available that will scan a subnet looking for PCs listening on any ports which VNC uses.

The purpose of VNC + SSH is to remove this security risk. SSH, or the Secure Shell, allows secure (encrypted and authenticated) connections between any two machines running SSH. The wide variaty of connections supported by SSH include file transfer protocols, TCP/IP port forwarding, terminal sessions et cetera. SSH is capable of using a number of encryption algorithms like AES-256, TripleDES, and-so-forth (I think that’s enuff tech jargons to throw around). By tunnelling VNC over a SSH connection, you will be able to acces the host and have all traffic strongly encrypted.

Getting & Installing OpenSSH
There’s two ways to go about this. You can either get the standalone installation file of OpenSSH here or download Cygwin and grab the relevant OpenSSH packages. Cygwin is a powerful *nix API emulator which has many uses that can replace the usual cmd.exe of our windows. What this means is it allows *nix programs/binaries (or bin) to be run in Windows. Maybe a tutorial for this will be up next on the power of Cygwin.

After downloading Cygwin, hit the Set-up exe file. Cygwin is actually an installation and update utility that retrieves the bin packages from the Internet. As you can guess, the package we’re interested in is called OpenSSH and can be found in the Net category. After Installation is complete you need to add Cygwin environmental variables to your server to add the OpenSSH service and point to the bin file. Do this by right clicking on My Computer | Selecting Properties | going to the Advanced tab and hitting the | Environment Variables button and;

1. Add the variable CYGWIN and ntsec tty by using the Add button.

ntsec-tty.JPG

2. Add C:\cygwin\bin (or whatever your installation directory is, for me it was C:\Program Files\Cygwin\bin) to the at the end of the existing line of the PATH environment variable by using the Edit button. (Warn: Don’t remove the existing lines, just append this line to the end of the line or you’ll screw your paths)

path.JPG

3. Configure OpenSSH on Cygwin by typing ssh-host-config at the prompt with the following answers;

ssh-config-host.JPG


“Privilege Separation?” Yes
“Create local user SSHd?” Yes
“Install SSHd as a service?” Yes
“CYGWIN = ” enter ntsec

4. We can now start the SSH daemon (thats service to you Windows folks) by either typing net start sshd within Cygwin, typing cygrunsrv.exe -S sshd or simply rebooting the machine. You can check if SSH is runningby by typing netstat -a in the command prompt and look for the line with ssh. To stop the SSH service type net stop sshd

Connecting to VNC thru SSH
Adjust the VNC server settings.

1. Select allow loopback connections on the VNC server.

allow-loopback-vnc.JPG

2. Create a local forwarded tunnel using the command ssh -p 5900 admin @60.49.120.110 -L 5900:127.0.0.1:5900 command to forward port 5900 (the default VNC port if you haven’t changed it to another, if so replace this with your specified value instead) on the client where the public IP of your router is 60.49.120.110. The loopback interface address (that’s 127.0.0.1 to you) must be used.

Connect to the VNC server over the SSH tunnel
To complete the procedure, start the VNC viewer on the and point to the server at 127.0.0.1:0:5900. At this point, the connection is forwarded from the client machine to the VNC server over SSH and you should receive the VNC authentication prompt. All network traffic is transparently encrypted by the SSH tunnel.

Troubleshooting Checklist
Since this involves multiple setups and an unususally long guide, here is a brief troubleshooting checklist should you run into problems.

1) If you can SSH from the server to the server (SSH locally) = SSH server is functioning.
2) If you can SSH from a computer over LAN to the SSH server = IP and LAN connection is functioning.
3) If you can SSH from a computer over WAN (i.e. on the other side of the NAT router) to your SSH server, then you know that the router’s port-forwarding is working.

The same rules apply to VNC.

Securing UltraVNC is much easier but that’s for another article. :)

Posted in Guides, Open Source, Operating Systems, Security, Windows | Comments Off


Save to del.icio.us:Securing VNC over Internet Digg this:Securing VNC over Internet Submit to Newsvine:Securing VNC over Internet Blink this:Securing VNC over Internet Submit to reddit:Securing VNC over Internet Y!:Securing VNC over Internet gifttagging:Securing VNC over Internet

Comments are closed.