# How to stop vnc attacks?

## urcindalo

Hi and thanks for reading this.

I use KDE (stable, 3.4.3) on AMD64, and I have always on the option to use KDE's vnc server (krdc) without a previous invitation. The ports are always open and a password is set.

I've noticed that today, as well as yesterday, I've been suffering repeated attempts to access my computer trough vnc, since I've seen a lot of messages from krdc of the "the remote user has closed connection" type, with a 4 or 5 seconds interval between them.

I use metalog as syslogger but I don't know where to look for the corresponding logs. My questions are:

1) Where to look for the logs showing these attempts?

2) Which would be the best way to reject those attempts without restricting my vnc access to the machine? Please note I'm perhaps the most newbie person regarding security, so please don't assume any previous knowledge on my part   :Embarassed: 

I've been browsing some threads about port knocking and the like, but I think that's too much trouble to get what I want. I found fail2ban in portage, and have installed it to prevent the ssh attacks I was also suffering. Is there any way I could use fail2ban to ban also the ip's trying to get vnc access?

Thanks very much in advance.

By the way, to get fail2ban installed and working I had to install iptables. I added both to my default run level with rc-update, and set my iptables rules to the ones below following a guide from gentoo-wiki:

```
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*raw

:PREROUTING ACCEPT [46975:14020864]

:OUTPUT ACCEPT [39597:4677724]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*nat

:PREROUTING ACCEPT [1634:298393]

:POSTROUTING ACCEPT [593:47528]

:OUTPUT ACCEPT [593:47528]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*mangle

:PREROUTING ACCEPT [46975:14020864]

:INPUT ACCEPT [46658:13963678]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [39597:4677724]

:POSTROUTING ACCEPT [39812:4711878]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

# The following comes from http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

# I commented out these originals:

#*filter

#:INPUT ACCEPT [46658:13963678]

#:FORWARD ACCEPT [0:0]

#:OUTPUT ACCEPT [39597:4677724]

# to set this as the wiki says (I changed INPUT and OUTPUT)

*filter

#:INPUT ACCEPT [5:952]

:INPUT ACCEPT [5:5903]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

#:OUTPUT ACCEPT [137:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# Seminar's computer. It is safe.

-A INPUT -s 150.214.212.13 -j ACCEPT

-A OUTPUT -s 150.214.212.13 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# ftp / webserver related

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

#-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

#-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

# Windows / Samba

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# VNC (These 6 rules are mine)

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5902 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5900:5902 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5802 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5800:5802 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5500:5502 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5500:5502 -j ACCEPT

# reject everything else

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Wed Mar 22 22:31:27 2006
```

----------

## Voltago

ad 2) The easiest way is to use a non-standard port for your VNC server, this will thwart unsophisticated automated attacks. Perhaps you can restrict the IP range from which you can connect to your VNC port in your iptables setup.

----------

## urcindalo

 *Voltago wrote:*   

> ad 2) The easiest way is to use a non-standard port for your VNC server, this will thwart unsophisticated automated attacks. Perhaps you can restrict the IP range from which you can connect to your VNC port in your iptables setup.

 

Thanks.

How can I set-up non-standard ports and forward them to the vnc server? Please note I'm a complete newbie when it comes to security and networking.

----------

## Voltago

http://docs.kde.org/development/en/kdenetwork/krfb/krfb-configuration.html

Try a port outside the [5900:5999] range and you should be quite safe.

EDIT: Just happened to see this:

http://utah-gentoo.org/article.php?story=2006030111575620

----------

## urcindalo

 *Voltago wrote:*   

> http://docs.kde.org/development/en/kdenetwork/krfb/krfb-configuration.html
> 
> Try a port outside the [5900:5999] range and you should be quite safe.
> 
> EDIT: Just happened to see this:
> ...

 

Thanks for your help. I have installed blacklist.py. However, I'm still very insterested in changing the port, since the script only blocks ssh and ftp attacks. According to this from the first link you provide: *Quote:*   

> If you deselect the Assign port automatically checkbox, you can specify a particular port. Specifying a particular port may be useful if you are using port-forwarding on the firewall. Note that if Service Location Protocol is turned on, this will automatically deal with identifying the correct port.

 

it seems I need either to forward the port internally to 5900, or use a "Service Location Protocol". I'm completely new to iptables (in fact, I installed it over the weekend as part of blacklist.py) and my knowlegde about it is close to zero. How can I proceed either way? Can anyone help me? Thanks in advance.

----------

