allow connect ONLY from these IPs

[afontes]

Because last weekend someone has invaded my computer via VNC (yes, he/she also changed the UltraVNC's admin password), I would like to request a "allow connect ONLY from these IPs", or using files like /etc/hosts.allow and /etc/hosts.deny in Linux/Unix.

i.e., 192.168.0.*, 10.0.0.1, 200.1.2.3

Thank you very much for your attention, and I'm looking forward to see this feature implemented as soon as possible.

[mod=494,1215204040]moved from feature request to general help[/mod]

[mattice06082]

Have you looked into the encryption plugins? I'm not saying that you're concern does not need to be addressed, but in the meantime you can use the plugins to secure your connection.

[Stegosh]

I strongly support this feature request, the reason is very simple...

It does not matter how strong encryption do you have, there is a small chance that it can be broken and even if not, that doesnt stop wannabe hackers to try and try and try and flood your connection with failed attemtps.

If there was a way to allow only certain ips or certain ranges will increase security a lot, by just not answering login attempts you make the login much more secure.

Lets say some script kiddie wants to have some fun, he open his favorite scanner and set to scan a wide range of ips but only on ports 5800 and 5900, he will fast find a lot of VNC users, encryption might prevent him to enter your computer but it wont prevent him to "try" for hours or days, specially having more than one computer doing so.

If a simple ip check was added to the login this could be prevented, when this guy scan an ip with such measure, VNC will check BEFORE answer if the ip is allowed, if its not, it will do not answer, further it will do nothing so the scanner will report an open port only, but nothing running behind, if its allowed then ask for user/pass like it does now.

Yes, encryption is good, but combined with this could make VNC much more secure and less likely to be flooded, like mine was, thats why im here, to see if what the first poster requested was possible

Make it possible please, there is no such thing as extra security, because no ammount can be ever enough if your beloved PC/Server is at risk

[afontes]

Thanks for the post.

[Hanzolo]

I searched for this feature few months ago, too. Unfortunately there ain't any GUI for this. But it's easily possible.

Check this registry String:

HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3

There's a REG_SZ entry with the name "AuthHosts" which should be documented in the WinVNC documentation. Afaik UltraVNC is a modified WinVNC so this entry works fluelessly with UltaVNC. It's use is very simple.

E.g.
If you only want to allow access from 192.168.0.10 the entry should be:
"-:+192.168.0.10"


See here for further information:

AuthHosts
The AuthHosts setting is, unlike the other settings, a REG_SZ string. It is used to specify a set of IP address templates which incoming connections must match in order to be accepted. By default, the template is empty and connections from all hosts are accepted. The template is of the form:
+[ip-address-template]
?[ip-address-template]
-[ip-address-template]
In the above, [ip-address-template] represents the leftmost bytes of the desired stringified IP-address. For example, +158.97 would match both 158.97.12.10 and 158.97.14.2. Multiple match terms may be specified, delimited by the ":" character. Terms appearing later in the template take precedence over earlier ones. e.g. -:+158.97: would filter out all incoming connections except those beginning with 158.97. Terms beginning with the "?" character are treated by default as indicating hosts from whom connections must be accepted at the server side via a dialog box. The QuerySetting option determines the precise behaviour of the three AuthHosts options. Local machine-specific setting.

[maeuchler]

I've done all like Hanzolo wrote but it doesn't work for me.
Any idea to make this run?

[Hanzolo]

This works for sure!

Post your AuthHosts entry please..

edit: wow I answer so fast I could be live support

[maeuchler]

I tryed it with

"-:+10.0.1.2"
and without ""
-:+10.0.1.2

But I can connect with any other IP

[Hanzolo]

You must NOT put the " in the field of course! But I'm glad you tried it without them, too.

Did you restart the VNC server?

Seeing your IP reminds me of VPN. Are you running a VPN?

When you are connected run the service helper and right click on the tray icon and select "list client". What IP does it show?

[maeuchler]

So now i tryed just for fun with the IP "123.456.789.101"
But i can connect with the IP "10.0.1.2"

And that's (10.0.1.2) what I can see when I click on "list all clients"
And sure i restart the server.

P.S.: Yes, I run a VPN

[Hanzolo]

try a "-" and test if you cant connect anymore
if you can, then the whole auth hosts is not working and we'll see further.

please double-check also if its a REG_SZ string anf it its in the correct subfolder in the registry

[maeuchler]

OK i've tested it with just a "-" (without "") but I can connect.

I've checked the key HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3
there is a REG_SZ named AuthHosts

[Hanzolo]

try to connect directly without VPN and test if it works. If then it's a problem with the VPN.

also try to put in the external IP (not the internal VPN ip) while VPN is running

[maeuchler]

VPN is closed but it's like before.

[Hanzolo]

did you restart the VPN service over services.msc?
Also try to reboot the PC...

[maeuchler]

The VPN is closed.
I've rebooted my pc and nothing new.

Do you have ICQ or any other messenger?

[edit]
The problem is solved!
Hanzolo is a good boy, he's my hero
[/edit]

[n2bad]

I'm interested in that to, so what is the solution?

Thanks

[Hanzolo]

The solution to his problem was rather special so I suggest you read the whole topic if you haven't done already.

Greetings

[venkeey]

I also dad trouble restricting IPs to VNC.

Turns out my UseRegistry setting in UltraVNC.ini was set to 0. Changing it to 1 fixed my AuthHosts issue.

[Rudi De Vos]

you also van add the same settings to the ultravnc.ini file