Quasar Posted April 27, 2010 I am getting attacked at an increasing rate by Russian botnet machines that are attempting to connect to my VNC server. The rate of attack is up to twice a day on average now. I don't know if the botnets are only capable of connecting to unprotected VNC servers (ie. ones with no password set), or if they are capable of employing known exploits to bypass authentication on some servers and they just can't hack through mine yet, but either way it is scary. Now that my machines are on their list, as soon as such an exploit is found, I could be hacked in mere moments. Evidently this is nothing new, as a Google search indicates it's been going on since at least 2007. We discovered that the botnet backdoors the affected machines by downloading and installing a ssh server, and god knows what else it does. So in short, if you run VNC, be very wary. 0 Share this post Link to post
Whoo Posted April 28, 2010 Well, I'm not going to use VNC anymore. But, as Spleen said, an IP change would probably be best in addition to deleting VNC if you haven't already. 0 Share this post Link to post
Quasar Posted April 28, 2010 Whoo said:Well, I'm not going to use VNC anymore. But, as Spleen said, an IP change would probably be best in addition to deleting VNC if you haven't already. I use VNC on a daily basis to connect to my home network from work, so this isn't really an option. 0 Share this post Link to post
Aliotroph? Posted April 28, 2010 Are the attacks coming from Russia? My old e-mail account worked better when I blocked China altogether. 0 Share this post Link to post
RestlessRodent Posted April 28, 2010 Maybe you can host an ssh server, allow it for only a single user, use the denyhosts script. Block VNC from your router, then forward SSH to your local computer and connect to that forward. 0 Share this post Link to post
exp(x) Posted April 28, 2010 Not using the default port number would probably help. 0 Share this post Link to post
Reisal Posted April 28, 2010 Have you thought of blocking the entire .ru block from connecting? 0 Share this post Link to post
Bloodshedder Posted April 28, 2010 Spleen said:I'd request an IP change from your ISP. This wouldn't really help. The bots are likely testing for connections by using random IPs or blocks of IP addresses. Mr. Chris said:Have you thought of blocking the entire .ru block from connecting? Most Russian IP addresses don't have reverse DNS entries, plus you can't block by top-level domain. You'd have to block thousands of IP ranges. 0 Share this post Link to post
trooper077 Posted April 28, 2010 Stalin's gonna get you (Sorry couldn't help it) 0 Share this post Link to post
Super Jamie Posted April 28, 2010 Putting raw VNC over the internet is a huge security risk, the stream encryption is good enough but passwords are still submitted in plaintext. I connect to my LAN from work too, but I do it all over SSH. You can do this cheaply and easily wih a router that runs DD-WRT or build a little Linux box to act as a gateway. You could also use a VPN service like Hamachi. Expose as little to the internet as humanly possible. Even if it means a slight inconvenience such as a double login. 0 Share this post Link to post
fraggle Posted April 28, 2010 Quasar said:I am getting attacked at an increasing rate by Russian botnet machines that are attempting to connect to my VNC server. The rate of attack is up to twice a day on average now.Twice a day? Is that all? There are probably thousands of people out there scanning different IP ranges for machines to target every day. Any server you put up is going to get connection attempts (and no, changing your IP address is a complete waste of time). Much like spam it's a fact of life that you just have to live with. Best advice is to just make sure you keep up to date and don't run old software with security holes in. If you're paranoid, you could try: Setting up a firewall to only allow VNC connections from specific addresses (my machine at home has an SSH server and I've configured the firewall to only allow connections from my machine at work, my parents' house, etc). Running the VNC server on an unusual port number that people are unlikely to scan. Configure port knocking. Set up a secure VPN of some kind (though this is really "swallowing the spider to catch the fly") 0 Share this post Link to post
Spleen Posted April 28, 2010 Bloodshedder said:Most Russian IP addresses don't have reverse DNS entries, plus you can't block by top-level domain. You'd have to block thousands of IP ranges. Why not block everything except the IP range of his work, then? 0 Share this post Link to post
VinceDSS Posted April 28, 2010 If you use a 128bit encrypting method with a specific key that only the client and server have you should be safe. On top of the regular password I find this is very safe. I use that setup for my home computer. They may see the port is open but will never will be able to log in since they dont have the key nor the password. Also, if your router allows it you can allow only a specific set of IPs (your work and such) to be able to connect to that VNC port. Edit : I also use a key+mouse locker, that prevents anybody that doesnt know a specific key sequence to use any input device. So if anybody manages to access the VNC or for that matter the PC, all input devices are locked, even if the PC reboots. 0 Share this post Link to post
RestlessRodent Posted April 28, 2010 Just as fraggle said about being paranoid: fraggle said: Setting up a firewall to only allow VNC connections from specific addresses (my machine at home has an SSH server and I've configured the firewall to only allow connections from my machine at work, my parents' house, etc). Doing this would beef up security but if let's say your parents got a dynamic IP then you'd need to do an entire range losing security. This is not effective for any home addresses, only businesses. fraggle said: Running the VNC server on an unusual port number that people are unlikely to scan. Works unless the port is blocked. fraggle said: Configure port knocking. Works, but you may need additional software to knock the actual ports. Also, some places such as businesses, schools, and ISPs may block those ports. fraggle said: Set up a secure VPN of some kind (though this is really "swallowing the spider to catch the fly") Not really paranoid, I do this from everywhere and it works great to where I can access my own network with no trouble at all. 0 Share this post Link to post
fraggle Posted April 28, 2010 GhostlyDeath said:Doing this would beef up security but if let's say your parents got a dynamic IP then you'd need to do an entire range losing security. This is not effective for any home addresses, only businesses.Limiting it to a range is still practical; if it's a /24 for example, you've reduced the range of potential hackers from ~4 billion to ~256. Not really paranoid, I do this from everywhere and it works great to where I can access my own network with no trouble at all.My point is, it doesn't really address the problem; you've just shifted it from VNC to a different service (VPN). 0 Share this post Link to post
Quasar Posted April 28, 2010 I tried changing the port today and now I cannot connect, so I don't think that's going to work. 0 Share this post Link to post
RestlessRodent Posted April 29, 2010 Quasar said:I tried changing the port today and now I cannot connect, so I don't think that's going to work. You need to change both the server and client port and make sure they are forwarded/not-blocked. 0 Share this post Link to post
Mr. Freeze Posted April 29, 2010 Looks like the Cold War just started again. 0 Share this post Link to post