# How secure is vnc

## Lonely-Star

Hi everybody,

I just discovered VNC and i really like it!

But if I will use it, I will use it over the internet, and the question is how secure that is. Are there any security concerns running an public vnc server?

THanks

----------

## garn

VNC is not secure. The password is challenge/response so you don't need to worry about someone getting your VNC password by sniffing, however the actual RFB (remote frame buffer) part of it is not encrypted by any means, so anyone can see what you see and could theoretically hijack your session.

The recommened method of securing it is to tunnel via ssh. To do this you can run ssh user@host -L5900:localhost:5900

(5900 if you are on display 0, 5901 for display 1, etc)

then run vnc to localhost. If you are vnc'ing from windows boxes you can still tunnel using PuTTY.

Let me know if this explaination was too brief or unclear

----------

## neuron

quick vnc question, anyone gotten a vnc "the other way working", got a box behind a firwall.

so I'm doing:

ssh -R 15900:192.168.0.1:15900 remote_server -l username -N

on the remote server, vnc listening on port 15900, but I can't seem to connect.

(get connection closed by vnc server or something like that).

(note the ssh is cygwin on a friend of mine's box on a .edu, connecting to my linux server)

----------

## Lonely-Star

Thx! The putty solution works perfectly.

----------

## grant.mcdorman

 *neuron wrote:*   

> quick vnc question, anyone gotten a vnc "the other way working", got a box behind a firwall.
> 
> so I'm doing:
> 
> ssh -R 15900:192.168.0.1:15900 remote_server -l username -N
> ...

 

Why are you using 15900? VNC server ports are in the range 5900 to 5999. I'd expect to use

```
ssh -R 5900:192.168.0.1:5900 remote_server
```

----------

## funkmankey

or you can tunnel X thru ssh, and run vncviewer as well as vncserver "locally" on the remote machine...

personal preference, similar result.

----------

## neuron

 *grant.mcdorman wrote:*   

>  *neuron wrote:*   quick vnc question, anyone gotten a vnc "the other way working", got a box behind a firwall.
> 
> so I'm doing:
> 
> ssh -R 15900:192.168.0.1:15900 remote_server -l username -N
> ...

 

it's on port 15900, it's a winvnc I'm trying to connect to, configured to that port.

either way I figured it out, seems the problem is when I try to do it again (ie vnc -> ssh -> box -> ssh -> vnc), gonna have to do some diffrent tunneling, as it was only for some testing (would be a bottleneck anyway).

----------

## garn

when you are connecting to vnc the port is NOT specified with a colon. ie vncviewer localhost:1 does not go to port 1 but 5900+1 vncviewer localhost defaults to 0, as in 5900+0

so are you sure it's using 15900? if it indeed is then you'll have to use your portmap to change it to 5900 ie: -R 5900:foobar:15900

----------

## neuron

well it works perfectly if I correct like that manualy  :Smile: 

if you use vncviewer host:1 then it's port+<num>, but not if you use vncviewer host::<port>

(notice, 2 * : )

----------

## fimblo

I use vnc all the time, and I normally cant be bothered to create a separate tunnel. Instead, I use the -via parameter for the vncviewer command. like so:

```
vncviewer -via my.host.com :1
```

 by using the -via param your vncviewer uses ssh to tunnel on its own.

Assuming that sshd and vncserver is running on default ports, this works well!

----------

## allan_q

I think the -via option is unique to the tightvnc package. It does come in handy though especially if you're using RSA auth for ssh. I would just type

```
vncviewer -via sshgateway vnchost
```

and VNC will establish connection with the sshgateway and connect to the vnchost. I'll just get the VNC password prompt.

Check out TightVNC (ebuild in portage). It has some nice features such as compressing the display so it's more responsive on modem links. You can choose different levels. For example

```
vncviewer -quality 0 -compresslevel 9 vnchost
```

is what I normally use on modem connections. The requirement is that you need a TightVNC client connect to a TightVNC server. It's compatible with regular VNC--you just don't get the compression and quality settings.

----------

## grant.mcdorman

 *allan_q wrote:*   

> I think the -via option is unique to the tightvnc package.

 

That's correct. The main branch of VNC, RealVNC does not support the -via or -tunnel options.

 *allan_q wrote:*   

> Check out TightVNC (ebuild in portage). It has some nice features such as compressing the display so it's more responsive on modem links. You can choose different levels.

 

The RealVNC team has introduced a new compression style, ZRLE, in the recent stable releases (v. 3.3.4 and later, in portage as vnc) which they claim is just as efficient as TightVNC over slow links. The RealVNC viewer also will, by default, dynamically select the compression style when you connect (based on the throughput to the remote host). This feature is not provided by TightVNC.

RealVNC also has a beta of a new version in the works (version 4). For details on it look here. This is not in portage (at least not yet).

----------

## st. anger

hi all,

after struggling some time with vnc over ssh, I finally got it to work. the problem was that my box is behind a firewall/router and I did not have port 5901 forwarded to the vnc server. I was under the assumption that all the traffic was "tunnelled" thru ssh(including the port itself - if that makes any sense), so why the need to have 5901 open on my firewall? well, now that I've correctly forwarded that port, I am able to connect to localhost::5901 from a windows box with tightvnc viewer and putty.

so, was I correct in assuming that or do forwarded ports need to be open on the target machine in order for it to work?

----------

## grant.mcdorman

 *st. anger wrote:*   

> hi all,
> 
> after struggling some time with vnc over ssh, I finally got it to work. the problem was that my box is behind a firewall/router and I did not have port 5901 forwarded to the vnc server. I was under the assumption that all the traffic was "tunnelled" thru ssh(including the port itself - if that makes any sense), so why the need to have 5901 open on my firewall? well, now that I've correctly forwarded that port, I am able to connect to localhost::5901 from a windows box with tightvnc viewer and putty.
> 
> so, was I correct in assuming that or do forwarded ports need to be open on the target machine in order for it to work?

 No, if you've properly set up the ssh, you do not open 590x on the firewall; the VNC traffic is indeed tunnelled.

There are instructions [http://www.uk.research.att.com/archive/vnc/sshvnc.html] on using SSH tunnelling with VNC at the RealVNC web site [www.realvnc.com].

----------

## st. anger

thanks, but I've read those instructions already and they work for me if I'm connecting from within my LAN, but not if I try thru my router/firewall. the instructions do not mention anything about a firewall or the need to have the 59xx ports being tunnelled or needing to be open but as soon as I forward the 5901 port from my router/firewall to my vnc server all works fine.

I think I know what the problem is:

when I use ssh to forward the local 5901 port it is being forwarded to the  router's 5901 instead of the vnc server which is behind the router(duh). that's why I have to forward from router to vnc server.

----------

## codeine

it is possible to sniff out everything running on openssh!

just try it using ettercap, attack is called MITM(ManInTheMiddle)

ssh2 is secure, but not for free ;]

----------

## grant.mcdorman

 *st. anger wrote:*   

> thanks, but I've read those instructions already and they work for me if I'm connecting from within my LAN, but not if I try thru my router/firewall. the instructions do not mention anything about a firewall or the need to have the 59xx ports being tunnelled or needing to be open but as soon as I forward the 5901 port from my router/firewall to my vnc server all works fine.
> 
> I think I know what the problem is:
> 
> when I use ssh to forward the local 5901 port it is being forwarded to the  router's 5901 instead of the vnc server which is behind the router(duh). that's why I have to forward from router to vnc server.

 Is your ssh daemon running on the router? If so, then you'll have to modify the forwarding command. Specifically, instead of:

```
ssh -L 5901:localhost:5901 firewallname
```

you will enter 

```
ssh -L 5901:internal_host_name:5901 firewallname
```

The reason is that the hostname on the -L is relative to where the ssh daemon is, so the VNC example doesn't work if you are not connecting to a VNC server on the ssh daemon host.

----------

## st. anger

 *grant.mcdorman wrote:*   

>  *st. anger wrote:*   thanks, but I've read those instructions already and they work for me if I'm connecting from within my LAN, but not if I try thru my router/firewall. the instructions do not mention anything about a firewall or the need to have the 59xx ports being tunnelled or needing to be open but as soon as I forward the 5901 port from my router/firewall to my vnc server all works fine.
> 
> I think I know what the problem is:
> 
> when I use ssh to forward the local 5901 port it is being forwarded to the  router's 5901 instead of the vnc server which is behind the router(duh). that's why I have to forward from router to vnc server. Is your ssh daemon running on the router? If so, then you'll have to modify the forwarding command. Specifically, instead of:
> ...

 

no, that's the problem, sshd is also running on the same machine as the vncserver. the router is a small D-Link unit.

and also, I am using putty to connect with, how can I implement those forwarding commands using putty?

----------

## grant.mcdorman

 *st. anger wrote:*   

> no, that's the problem, sshd is also running on the same machine as the vncserver. the router is a small D-Link unit.
> 
> and also, I am using putty to connect with, how can I implement those forwarding commands using putty?

 Did you read the VNC SSH on Windows instructions? [http://www.uk.research.att.com/archive/vnc/sshwin.html]? From there: *Quote:*   

> As far as the Windows client is concerned, Bob goes in the "host name" entry field. The other three items (5954, Charlie, 5904) should be inserted in the dialog box that pops up when you press the "local forwards" button, as "local port", "host" and "remote port" respectively, making up one line of the "forwarded ports" listbox.

 That is, using my examples above, you'd put firewallname in the host name field, and, in the local forwards window, 5901 in the two port fields, and internal_host_name in the host field.

You then connect your VNC viewer to localhost:1, and everything should work without the port forwarding.

Your need for port forwarding sounds very much like you are not passing the VNC traffic through the SSH tunnel.

----------

## st. anger

well, thats using the other ssh utility for windows, not putty like i am using.

the reason im using putty is the other one seems discontinued. ill try with that one and let you know how it works. in the mean time, im happily using putty from windows and connecting just fine with the 5901 port forwarding.

im pretty confident that all is being tunnelled thru ssh.

thanks alot for your help.

----------

## grant.mcdorman

 *st. anger wrote:*   

> well, thats using the other ssh utility for windows, not putty like i am using.
> 
> the reason im using putty is the other one seems discontinued. ill try with that one and let you know how it works. in the mean time, im happily using putty from windows and connecting just fine with the 5901 port forwarding.
> 
> im pretty confident that all is being tunnelled thru ssh.
> ...

 I wasn't aware of that; however I do have putty here, so I went and checked it out for you.

First, you have to drill down to Connections|SSH|Tunnels. In the panel that comes up when you select that, enter 5901 in the Source Port field and vnc_server_host:5901 in the destination field, and make sure that Local is selected (changing vnc_server_host to the actual host name, of course). It'll look like this:

[img:04a2258840]http://www3.sympatico.ca/grant.mcdorman/image-typein-1.jpg[/img:04a2258840]

Then press Add; you should see this:

[img:04a2258840]http://www3.sympatico.ca/grant.mcdorman/entered-data.jpg[/img:04a2258840]

Then go back to the main panel (Session) and make the connection as usual; after that you can use localhost:5901 for your VNC viewer to connect to the server.

You can, of course, save the session if you use this regularly.

----------

## st. anger

wow!  :Shocked:   I actually tried exactly what you said just before I came back to reply here. I was putting the routers ip in the forward box instead of the vnc servers ip because well I guess I wasnt thinking clearly  :Rolling Eyes:  .

It occurred to me that the ssh connection is already happening from the first tab in putty, then the port forwarding is actually happening after the ssh connection takes place so I can put the vncservers ip there. I was thinking that since the vnc server is behind a firewall(not public ip) it couldnt be forwarded there, but now I understand how it works.

well Thanks a lot! you were absolutley right about the 59xx forwarding being unnecessary. although I'm pretty confident that the tunnelling was taking place, it really defeats the purpose of the firewall to leave that port open.

thanks again.

----------

## grant.mcdorman

Glad to be of help, st. anger.

----------

## paranode

Actually, as far as the putty and Windows thing, I had to use localhost:5901 in the putty tunnel configuration instead of the vncserver:5901.  That's how it worked for me.

----------

