The 2 NIC firewall issue - again.

Tim Neto tneto "at" komatsu.ca
Tue Mar 2 23:44:01 2004 

Hello,

I have browsed through the list with multiple queries.  All seem to have 
the same conclusion.  Nothing to be done about the fact that port 6001 
(and up if multiple instances are started) is left open for connection 
on all network interfaces.

One of my UNIX firewall servers was hacked over the weekend.  I'm not 
saying VNC was the door the intruder used.   I have restored a backup 
image, and then have tighten the server down further.   I now have the 
server closed but for 3 ports with VNC off and 4 ports with VNC on.  The 
ports are 21, 23, 80 with VNC on port 6001 is also open.   Using telnet 
to hack at the ports, 21, 23, and 80 close immediately.  Port 6001 stays 
open for a while and then closes.  In that time I'm concerned that the 
X11 service at port 6001 is vunerable to a buffer overflow attack.   I'm 
not a network newbie, nor am I a network "expert"; but there must be a 
way to get the VNC service to listen only on one interface.

In reading through the mailing list archive and the FAQ's, I'm now 
starting the VNC service as:

        vncserver -interface <internal-ip-address>

I took the effort to download the 3.3.7 source code.   There are two 
source files that refer to port 6000.   I suspect the code could be 
modified to force the X11 server to listen on only the address specified 
by the "-interface" parameter.    The source information is:

                  Version: 3.3.7
                  UNIX source.

                  File: Xvnc/programs/Xserver/hw/vnc/init.c
                  Function: CheckDisplayNumber
                  Line: 695
                  Fragment:  addr.sin_addr.s.addr = htonl(INADDR_ANY);

                  File: Xvnc/lib/xtrans/Xtransam.c
                  Function: MakeAmConnection
                  Line: 470
                  Fragment:  tcpconf.nwtc_remaddr = ipaddr;
                     ipaddr comes from phostname which is passed into 
this function.

Could someone from the VNC software development point me in the correct 
place to force VNC's X11 to listen on one network interface in a 
multiple interfaced host.   Or, better yet, post a patch or updated 
version of VNC that really addresses the issue.

For now though.  VNC only get started when it is actually needed.

Thank you.

Tim

-- 
----------------------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer              Komatsu Canada Limited
 Ph#: 905-625-6292 x265                 1725B Sismet Road
 Fax: 905-625-6348                      Mississauga, Ontario, Canada
 E-Mail: tneto "at" komatsu.ca               L4W 1P9
----------------------------------------------------------------------