myron_in_da_house "at" yahoo.co.uk
Mon Jun 28 00:04:00 2004
If you're using Windows, let alone any server. Consider using a Virtual Private network and a VPN appliance. Actually, you have to be crazy to let VNC server be visible on the Internet.
For the company I work for, and manage their I.T. systems, I firstly establish a connection by VPN using a guess account to login to grant me access to the network. I then have to supply a different password to the VNC server I wish to access and every VNC server has a different password, not vulnerable to a dictionary attack. If I need to authenticate to the servers as an administrator then that is yet another user name and password.
Intrusion detection is also enforced. Try too many times to connect to the VPN by brute force and there is an account lock out that triggers. You then have to leave the account being attacked alone for a period of time to have the lockout automatically released.
Back to VNC, there needs to be a login lockpout implemented on the VNC server. Simple to do (I don't have the time to code it in) and a puzzle why it's never been put in.
Should be configurable. For instance, two bad password attempts and VNC server will then give a bad password response even if the password is correct, but then you have to leave VNC server alone for, say 3 minutes, before the lock out is release and another two attempts are allowed.
A simple login lockout like this would give a hacker an interesting challenge as it would then take a VERY long time to guess a password, so would it be worth it? The owner of the computer operating VNC server would know very long before anything got cracked that there was a hack attack in progress.
Sorry, for to be said, but this is a lack of common sense in leaving such a simple security feature out of VNC. I would be rather locked out from signing on VNC by a hacker then have a hacker gain access and run riot.
At 21:52 27/06/2004, "Jerome R. Westrick" <jerry "at" westrick.com> wrote:
>On Sun, 2004-06-27 at 21:33, William Hooper wrote:
>> Jon Lucas said:
>> > Dear Sirs:
>> > I would like to see a better encryption process for VNC, as I have had a
>> > hacker figure out my password schema, and actually caught him in a
>> > session of hijacking our server.
>> If someone has your password, what would better encryption get you?
>VNC-List mailing list
>VNC-List "at" realvnc.com
>To remove yourself from the list visit: