Using VNC (More) Securely...

Peter Bunn bunnz "at" mhtc.net
Fri Aug 15 21:08:02 2008 

Hello again:

I'm very grateful for all the suggestions I received from my last post, 
but still have not implemented an SSH tunnel or a 'Hamachi-like' solution.

What I *have* done - until I adopt a more secure tunnel of some sort... 
until I'm comfortable adding another layer of complexity to the 
connection - is the following:

(Recall that the operable VNC port is always open and the VNC server 
always running in Service Mode when the computer is on... presently only 
about 6-12 hours per week.)

- Set the VNC server port to something non-standard in the 5 digit range.

- Closed the HTTP 'outgoing' port.

- Obfuscated the description of the listening service in the ICF firewall.

- Limited permitted access to the subnet block (abc.xyz.0.0) that my own 
ISP assigns me when I dialup to the Internet.

- Slightly strengthened the 8 character password that the free version of 
RealVNC allows.

-----

At this point, with my very limited knowledge of how an open port exploit 
might be achieved, I'm thinking a hacker must go through (roughly) this 
process to do something nasty:

- Randomly (or purposefully) scan the IP address and find an open port.

- Guess the nature of the listening service (if it isn't explicitly 
reported by his scanning software).

- Spoof the IP address to mimic an address within the permitted access 
subnet (as above).

- Break the 'non-dictionary' 8 character password.

-----

I guess I would ask first if I'm (roughly) correct in my thinking... and 
then ask how easy it would be to achieve the sequence of steps in the 
hack.

At the moment, I'm actually less concerned about an unencrypted VNC 
session than I am about the 'everyday' vulnerability of the open port and 
the always on VNC server... the latter two being (almost) necessary for 
reliable access to my Father's computer.

My Dad does little or no web commerce, has little or no sensitive data on 
his computer (that I'm aware of), and during one of my maintenance 
sessions, there is little or no sensitive data passed between the two 
machines.

So... can I rest easy for the moment or should I - with all due haste - 
try to implement a more secure connection method?

-----

Once again, an awfully long-winded post, but still hoping for additional 
insights.

Thanks very much for your time.

Peter B.

-----