Can someone repeatedly try connecting to server?

Fred fma "at" doe.carleton.ca
Sat, 09 Mar 2002 18:04:12 +0000


Hi,

I was just telling someone that without ssh, VNC is
not secure, but no less secure than a telnet or
hummingbird session.  Then I thought about it
and realize that maybe it isn't even that secure.
When trying to log onto a unix box via some
nonVNC way, the person can only try so many
times before something happens (I'm not sure
what, but I think the user is locked out, or there
is a log of the multiple failed attempts).  I don't
feel like testing my system administrator's
patience by experimenting.  Is there a way to
prevent an attacker from repeatedly trying to
connect to a vnc server?  Unless the number
of failed attempts are limited, someone could
probably write a script to run through randomly
generated passwords until a connection is made.
Of course, he/she must know the display number
to properly specify the server, but if VNC becomes
popular, a user with an account on the same
system can easily query the system to find what
VNC processes are running, as well as their
corresponding display numbers AND process
owners.  That goes a long way towards being
able to make repeated attempts to connect.

Fred

--------------------------------------------------------------------------
Fred Ma
Department of Electronics
Carleton University, Mackenzie Building
1125 Colonel By Drive
Ottawa, Ontario
Canada     K1S 5B6
fma "at" doe.carleton.ca
==========================================================================
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------