Hello all,
Due to the recent worms and such going around with remote services, my port 5900 is frequently
assaulted by those in Asia and in Europe. This causes a DOS such that I can log in, but have to hit
"refresh" every time I want to see an updated screen.
Is there a way for UVNC to limit access to certain domains or set of IP's? And if so,
how does one set that up? Any help would be appreciated. Thank you!
Gilbert
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Limiting what IP addresses can access a server
Re: Limiting what IP addresses can access a server
http://www.uvnc.com/docs/uvnc-server.html
The ultravnc.ini supports authhosts:
AuthHosts=
+ =allow
- = deny
? = query
syntax:
-:+10.0.60.141:?10.0.31.169:-10.0.20.240:
instead of 10.0.60.141 you can use 10.0.60, then it is valid for the full range of ip addresses.
The ultravnc.ini supports authhosts:
AuthHosts=
+ =allow
- = deny
? = query
syntax:
-:+10.0.60.141:?10.0.31.169:-10.0.20.240:
instead of 10.0.60.141 you can use 10.0.60, then it is valid for the full range of ip addresses.
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
Re: Limiting what IP addresses can access a server
So I have this:
AuthHosts=-:+129.177:+myvzw.com:
The myvzw.com part is not working. I want all .myvzw.com to be able to get access to it
(limited by password authentication, of course.) What am I doing wrong?
I tried:
AuthHosts=-:+129.177:+*.myvzw.com:
That didn't work, either.
And thanks for your help on this, I really appreciate it!
AuthHosts=-:+129.177:+myvzw.com:
The myvzw.com part is not working. I want all .myvzw.com to be able to get access to it
(limited by password authentication, of course.) What am I doing wrong?
I tried:
AuthHosts=-:+129.177:+*.myvzw.com:
That didn't work, either.
And thanks for your help on this, I really appreciate it!
Gilbert
Re: Limiting what IP addresses can access a server
You need to use IP ranges, not a DNS name.
http://www.realvnc.com/pipermail/vnc-li ... 22817.html
http://www.realvnc.com/pipermail/vnc-li ... 22817.html
>Is it possible to successfully use a domain name (my.domain.com) _instead
>of_ ip addresses in the AuthHosts registry entry? TIA
Probably not. AuthHosts is a security measure, and DNS lookups are easily
spoofed. IP addresses are harder to fake and still successfully continue
the attack (if the connection claims to come from a fake address, the
server packets won't go to the spoofer's machine).
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
Re: Limiting what IP addresses can access a server
Uh, may I offer the dead simple answer as an alternative?
Stop running on port 5900!
Pick any obscure high numbered port instead.
Security through obscurity counts for a LOT when trying to minimize wormy intrusions.
Stop running on port 5900!
Pick any obscure high numbered port instead.
Security through obscurity counts for a LOT when trying to minimize wormy intrusions.
Re: Limiting what IP addresses can access a server
Not so simple. They're scanning all ports these days, more and more.
Anyway, so now I am locked out of my remote servers. I am on this network:
=-:+129.177
But all my requests are being rejected. I presume that's because all of our
machines have names matching their DNS numbers? How do I fix VNC
to look for the IP, and not the "name" of the server trying to get in?
Anyway, so now I am locked out of my remote servers. I am on this network:
=-:+129.177
But all my requests are being rejected. I presume that's because all of our
machines have names matching their DNS numbers? How do I fix VNC
to look for the IP, and not the "name" of the server trying to get in?
Gilbert
Re: Limiting what IP addresses can access a server
Then I don't believe you. If you're suffering that much unwanted traffic on an ongoing basis, AND you're sure that changing from port 5900 would do little to reduce it, then you must be under one or more TARGETED and specific denial of service attacks, such that nothing you do locally would substantially minimize the effect. I would suggest involving your upstream ISPs and/or pursuing legal action against those targeting your systems.
I'm saying that random drive-by port scans should never achieve a DoS effect. It sounds as if you have bigger problems than an open port.
That said, you might consider blocking specific IP ranges at your own routers rather than trying to handle it in VNC -- by the time the packets hit the VNC process, the "DoS" effect has long since taken place.
I'm saying that random drive-by port scans should never achieve a DoS effect. It sounds as if you have bigger problems than an open port.
That said, you might consider blocking specific IP ranges at your own routers rather than trying to handle it in VNC -- by the time the packets hit the VNC process, the "DoS" effect has long since taken place.
Re: Limiting what IP addresses can access a server
As a matter of fact, I have been targeted on one of my machines, but our ISP has to block it for our whole university, or not at all.
However, changing ports definitely merits consideration in the short-term. Now to read up on that...
However, changing ports definitely merits consideration in the short-term. Now to read up on that...
Gilbert
Re: Limiting what IP addresses can access a server
Not sure what you mean here: How do I fix VNC to look for the IP, and not the "name" of the server trying to get in?
Sorry I've never used this feature of UltraVNC and don't have time to test right now but it appears you are missing the trailing colon?
=-:+129.177:
Sorry I've never used this feature of UltraVNC and don't have time to test right now but it appears you are missing the trailing colon?
=-:+129.177:
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
Re: Limiting what IP addresses can access a server
My bad, when I copied and paste, I left off the missing colon. It is in there in the .ini.
I'm taking your advice and changing the ports now. Short-term solution, but it will
get attackers off my back. No one has gotten in, but it will get me through this mess.
I'm taking your advice and changing the ports now. Short-term solution, but it will
get attackers off my back. No one has gotten in, but it will get me through this mess.
Gilbert
Re: Limiting what IP addresses can access a server
Hmmm, now with some further reading maybe there shouldn't be a colon there....
http://forum.ultravnc.info/viewtopic.php?t=15207
http://forum.ultravnc.info/viewtopic.php?t=4067
http://forum.ultravnc.info/viewtopic.php?t=15207
http://forum.ultravnc.info/viewtopic.php?t=4067
http://www.chunkvnc.com - ChunkVNC - Free PC Remote control with the Open Source UltraVNC wrapper InstantSupport!
Re: Limiting what IP addresses can access a server
That might be why I got locked out of everything. Hmmm. If so, there should be a sanity check to ignore the ":" at the end.
Gilbert