staying secure while allowing vnc...

I used parts of the following guides to set my box up so that I can vnc
to it thru an ssh tunnel.

http://pigtail.net/LRP/vnc/
http://www.prosig.com/protor/kbase/vnc-install.html

I'm not a security guru so I thought I'd ask here if what I've done is
a good idea.

My box started out as a RH9 box, however it has been upgraded many
times. Most upgrades I compile from source and have been things like
SSH, mozilla, iptables, and a few other things. Some legacy rpms from
the legacy project have also been installed. I'll upgrade to another
OS when I buy or build a new box.

Anyway it has become necessary that I access this system while I'm on
the road. My job has given me a laptop (yeah!) but won't let me put
any flavor of Linux on it. Dragging my personal laptop, which
dualboots to WinXP and Debian, along as a 2nd one is just not going to
happen. So the solution I've decided to use is VNC thru an ssh tunnel.

This seems fine, but a few things I had to do to get the VNC stuff
working, worries me. I don't at all understand the implications and
hope this group can let me know.

The main things I did was:

edit /etc/X11/xdm/xdm-config
commented out DisplayManager.requestPort: 0

edit /etc/X11/xdm/Xaccess
uncomment !* # any host can get a login window

run gdmconfig
enable XDMCP

To connect from the laptop, I start up Putty, SSH to the box. Putty is
configured to do port forwarding for 5900 to 127.0.0.1:5900 and for
5901 in a similar way. I then vnc to 127.0.0.1:1 It seems to work,
but like I said I don't know what that stuff with xdm and gdm really
allows to happen to my system. Should I worry? What should I watch for
to see if anyone is attempting or has succeeded in hacking my box.

I also tried without running Putty, to vnc to xxx.xxx.xxx.xxx:1 and
that also seems to work. So how secure is vnc's password protection?
I'm using a "good" password, well "good" but something I don't have to
write down.

Thanks in advance.

Jistan

.

Relevant Pages

  • Re: VNC help?
    ... Instead use vnc via a ssh tunnel. ... Say you pick 12345 for the port. ... Use your internet router to forward ...
    (Fedora)
  • Re: DI-524. Cant vnc from inside local network to Internet using a tunnel
    ... >> You also need port 5800 forwarded on the server to use the HTTP web ... If he were using an SSH tunnel, ... >couldn't vnc to localhost. ... >pretty normal to make a link to the server _then_ use vnc. ...
    (alt.internet.wireless)
  • Re: Multifunction printers; any experiences?
    ... >> Then you run a VNC client on your home machine and point it to the ... local port that is connected via the SSH tunnel to your home machine. ... What I used to do on the work machine was this; ...
    (uk.comp.os.linux)
  • Re: Remote control a Win NT server.
    ... so you agree that this is a secure way to remote control ... machines using SSH tunnel + WinVNC? ... VNC had issues with passwords transmitted ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: staying secure while allowing vnc...
    ... SSH, mozilla, iptables, and a few other things. ... So the solution I've decided to use is VNC thru an ssh tunnel. ... To connect from the laptop, I start up Putty, SSH to the box. ...
    (comp.os.linux.security)