DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th November 2008
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default How understand someone connect to my BOX with VNC

I install VNC server on my system and I go to Windows box and connect to my OpenBSD box with VNC viewer , and still use it , but when I come to my OpenBSD box , I do not see any report about connect someone to connect to my system .
when I type
Code:
w
this command do not give me good information
How I can understand someone connect to my OpenBSD box with VNC viewer when he or she have my password for connect to system ??
Reply With Quote
  #2   (View Single Post)  
Old 19th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Step 1: Read the TightVNC FAQ. It states:
Quote:
..If you need real security, we recommend ... using SSH tunneling for all TightVNC connections from untrusted networks...
If you plan on opening your VNC server to the Internet, you can stop here, and learn how to use SSH tunneling.

Step 2: Read the vncserver(1) man page. You will discover that it is a wrapper script for the Xvnc X11 server.

Step 3: Read the man page for w(1). You will learn that it merely reads the information in /var/run/utmp, and produces output from it in human readable form.

Step 4: In w(1), note the SEE ALSO section recommends the utmp(5) man page. Read it, and learn that it tracks log in and log out of users. It should become clear that users connecting to the tightvnc server are not logging in, they are merely connecting to the Xvnc daemon.

Step 5: Read the Xvnc(1) man page. Note, under the BUGS section, that it says (higlight mine):
Quote:
...There are many security problems in current Xvnc implementation. It's recommended to restrict network access to Xvnc servers from untrusted network adresses. Probably, the best way to secure Xvnc server is to allow only loopback connections from the server machine (the -localhost option) and to use SSH tunneling for remote access to the Xvnc server.
Reply With Quote
  #3   (View Single Post)  
Old 19th November 2008
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Unless you are using your computer only as a terminal to a powerful computer in which case you should learn about Thin clients and Trivial File Protocol I am having hard time to understand the purpose of VNC.

Most people want to run VNC in order to see their graphic applications (X client). You can see those X clients on your work station using local X server even though X client runs on the remote machine.

Code:
$ ssh -Y username@server
$ password
ssh server$ (type now the name of your favorite X client )
Reply With Quote
  #4   (View Single Post)  
Old 19th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Oko View Post
I am having hard time to understand the purpose of VNC.
Here's three ....
  1. Independent of graphical platform (X, Win, whatever)
  2. Many possible network protocols, some significantly more efficient than X.
  3. Client software for non-X platforms much simpler to install and operate, and actually are not even needed -- most VNC servers, including TightVNC, can use a graphical browser as the client.
Reply With Quote
  #5   (View Single Post)  
Old 19th November 2008
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by jggimi View Post
Here's three ....
  1. Independent of graphical platform (X, Win, whatever)
  2. Many possible network protocols, some significantly more efficient than X.
  3. Client software for non-X platforms much simpler to install and operate, and actually are not even needed -- most VNC servers, including TightVNC, can use a graphical browser as the client.
I am not convinced. My replay to that in order would be:

1. Win what? Last time I checked Windows is running X server without any problems. Xming is native X server for Windows platform. Cygwin is not the most native way to run X server on Windows but it is never the less very good way of running X server and lots of other GNU software.

2. Sure. One of the most efficient network protocol is Trivial File Transfer Protocols. It is used in well known concept of Thin Clients. It is far more efficient than any VNC stuff I have seen.

3. There are Java based clients that can be used inside of your browser to
get GUI access to remote desktop. It is even less efficient than VNC.

I have used VNC in the past. My favorite client is SSVNC but when run properly ssvnc is more or less GUI for ssh.

I would really like to hear more convincing argumentation.

Last edited by Oko; 19th November 2008 at 09:37 PM.
Reply With Quote
  #6   (View Single Post)  
Old 19th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Oko View Post
...I would really like to hear more convincing argumentation.
You won't get it from me.
Reply With Quote
  #7   (View Single Post)  
Old 20th November 2008
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

I can not find good howto for connect with VNC and ssh tunneling to OpenBSD box
Reply With Quote
  #8   (View Single Post)  
Old 20th November 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

On your server, start the VNC daemon, listening on localhost only.

On your workstation, use something like this:

Code:
ssh -l mfaridi -L 5900:localhost:5900 your.vnc.server
After connecting and authenticating, start your VNC client on your workstation and point it at 127.0.0.1 port 5900.

VNC will then connect to your VNC server like this:

Code:
VNC client -> workstation:localhost:5900 -> ssh -> your.vnc.server:localhost:5900
This may help as well.

Last edited by DutchDaemon; 20th November 2008 at 10:26 AM.
Reply With Quote
  #9   (View Single Post)  
Old 21st November 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

Quote:
Originally Posted by Oko View Post
I am not convinced. My replay to that in order would be:

1. Win what? Last time I checked Windows is running X server without any problems. Xming is native X server for Windows platform. Cygwin is not the most native way to run X server on Windows but it is never the less very good way of running X server and lots of other GNU software.
. Yes, you can use Windows as your X server. How about windows programs as X clients?
Quote:

2. Sure. One of the most efficient network protocol is Trivial File Transfer Protocols. It is used in well known concept of Thin Clients. It is far more efficient than any VNC stuff I have seen.
. The difference we are looking at is for a graphically-based program - yes, you will claim that such a program is badly written, and you'd be right BUT - with often changing screens, all rendered server-side. It will bog down on a slower network connection badly and be unusable. A VNC using jpeg compression and other efficiency options will allow you to get the job done.
Quote:

3. There are Java based clients that can be used inside of your browser to
get GUI access to remote desktop. It is even less efficient than VNC.

I have used VNC in the past. My favorite client is SSVNC but when run properly ssvnc is more or less GUI for ssh.

I would really like to hear more convincing argumentation.
Well, there are times that a VNC is a necessary evil, and remote access to a windows machine is probably the main one. But I will agree with you in this manner: If you are thinking of using VNC, think: "is there a better way?"

(OH, and like you, I hate these quote wars. I think its the first time I've done it, and i have already apologized to my own sensitivities, as I do now to yours.)
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 21st November 2008 at 12:25 AM. Reason: dyslxeai
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
connect to OpenBSD BOX with VNC mfaridi OpenBSD General 9 14th April 2010 08:38 PM
please help me understand wpa settings gosha OpenBSD General 1 14th July 2009 11:37 AM
connect to openbsd box (ssh) milo974 Other BSD and UNIX/UNIX-like 4 3rd January 2009 02:44 AM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
wpa_supplicant won't connect to AP adamk FreeBSD General 4 24th September 2008 08:09 AM


All times are GMT. The time now is 08:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick