FNAL Policy Violation FNAL Policy Violation Platform: All Product: VNC Exploitation: Remote Patch By: No patch Remediation: Disable VNC or setup for Localhost access only and use an SSH tunnel Blocking: Immediate Services such as VNC cannot accept connections from either the FNAL network or the Internet. These services can only be used when encapsulated within a Kerberos authenticated session and provided over an encrypted transport (e.g. VNC can be used inside of a Kerberos authenticated SSH tunnel). See the FNAL Remote Access/Remote Desktop Policy Abbreviated Technical Details or search Google for help on tunneling VNC through SSH. Example of tunneling VNC over a SSH tunnel (excerpt from gentoo-wiki.com): $ ssh -X -f username@machine2 -N -L 1111:machine1:5900 Here are the parts of the command in detail:
$ vncviewer localhost::1111 Be sure to prohibit the VNC service from listening on your default (or all) network interfaces, but instead bind to localhost (127.0.0.1). You may need to consult your VNC distribution documentation on what parameters to change in the configuration file to accomplish this. If you cannot change the configuration, be sure to install a local firewall to block access to the remote desktop ports. |
For
assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on October 7, 2008. (Address comments about page to the Computer Security Team.) |