User profile for user: jww2
jww2 Author
User level: Level 1
0 points

VNC / Screen Sharing Security Concerns

I have a mac at home with remote management turned on in System Prefs.

My Mac is behind a firewall / router (OpenWRT) but NAT routes the correct ARD ports to my Mac, and I have been able to connect from away from home without problems before.

Last night I thought the hard disk was churning quite a bit, so I started to poke around in the terminal checking for hacks with my limited hobbyist Unix admin skills.

Using netstat and lsof, I believe I identified an ESTABLISHED connection to vnc from an unexpected domain.

(I saved the output, but I don't have it now, I'm away from home.)

I have turned off Remote Management, and will probably clean install OSX again, but I want to understand more about vnc security vulnerability.

does an ESTABLISHED connection mean the screen is already being shared, or does it mean there is enough of a connection to be guessing passwords?

What tools and techniques are there for detecting vnc intruders and guarding against them? For example password guessing? Is that logged / throttled anywhere?

Where is the logging for previous and current vnc connections?

MacPro, Mac OS X (10.6.6)

Posted on Mar 9, 2011 12:26 PM

Reply
8 replies
User profile for user: Camelot
Camelot
User level: Level 9
59,601 points

Mar 9, 2011 12:48 PM in response to jww2

does an ESTABLISHED connection mean the screen is already being shared, or does it mean there is enough of a connection to be guessing passwords?


netstat knows nothing of the underlying protocol used on any port. It only understands the network level, so all it knows is that there's a TCP/IP connection between the local and remote machine.

That connection could be the result of a simple SYN/ACK handshake before any traffic passes - e.g. before the remote system tries to log in. It could be a live, remote VNC session, but it could also be a simple bot probing TCP ports to see what responds, regardless of protocol.
At this point you have no way of knowing whether that connection was live, related to VNC in any way, or whether the remote user was even trying to log in.

What tools and techniques are there for detecting vnc intruders and guarding against them? For example password guessing? Is that logged / throttled anywhere?


System-level logins (e.g. via SSH, console, etc.) are logged. I don't believe VNC is, though. It's a pretty lightweight protocol and was never designed for security (as attested by the simple, single password used for all login). Of course, having access to the screen shouldn't be a huge problem in and of itself - I mean, it's not like you're leaving your desktop open with apps running, etc., right? RIGHT?
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
57,251 points

Mar 9, 2011 1:35 PM in response to jww2

If you have Screen Sharing enabled but you do NOT allow a VNC password, then connections are done via secure username/password exchange, however, all VNC traffic after that is in the clear. The Screen Sharing client initiating a Screen Sharing connection can set a Screen Sharing client preference to encrypt the entire connection.

If you have Screen Sharing enabled with Allow VNC connections using password, then for VNC sessions no username is needed, and the password is sent in the clear. Plus the entire VNC session is also done in the clear.

It is possible to encrypt VNC sessions over an ssh tunnel, which involves using the ssh port 22 instead of the VNC port 5900. There are any number of posts in these forums describing how to set up a secure VNC connection over ssh tunnels.

Another approach to encrypting VNC sessions is to use a Hamachi VPN setup (Hamachi from LogMeIn.com).

Another screen sharing approach is to use TeamViewer.com (encrypted connections), or LogMeIn.com (also encrypted connections).
Reply
User profile for user: jww2
jww2 Author
User level: Level 1
0 points

Mar 9, 2011 2:06 PM in response to jww2

One more thing, if user/password combo is required (when allow all users to connect with password is not checked) then does it matter if the screen is locked or not, seeing as how the same name/password combo is used to unlock the screen?

Seems like there should be separate passwords.
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
57,251 points

Mar 9, 2011 6:08 PM in response to jww2

Thanks. Is the consensus that screen sharing does not log successful / unsuccessful connections? Is there no penalty / guard against brute force password attempts?

If you are connecting using the Mac OS X Screen Sharing client, entering your username and password, then failed connection attempt will generate /var/log/system.log entries such as: 

Mar 9 20:32:51 <yourMacshostname> DirectoryService[11]:
 Failed Authentication return is being delayed due to over
 five recent auth failures for username:
 <theusername_used_to_try_loggingin>.

However, if you allow VNC password ONLY connections, there is NO logging of failed attempts.

Then again if you ONLY open the ssh (port 22), then use ssh to connect, you will have secure connections, and failed logins will be recorded in /var/log/secure.log 

ssh -L 22590:localhost:5900 username@your.mac.address

then Finder -> Go -> Connect to server -> vnc://localhost:22590

Anyone trying to connect to port 22 that does not succeed will be logged. And your tunnelled VNC connection will be totally encrypted. You can also tunnel file server connections 

ssh -L 22590:localhost:5900 -L 22548:localhost:548 username@your.mac.address

then Finder -> Go -> Connect to server -> vnc://localhost:22590 for VNC
and Finder -> Go -> Connect to server -> afp://localhost:22548 for file sharing
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
57,251 points

Mar 9, 2011 6:42 PM in response to jww2

One more thing, if user/password combo is required (when allow all users to connect with password is not checked) then does it matter if the screen is locked or not, seeing as how the same name/password combo is used to unlock the screen?

Correct.
Seems like there should be separate passwords.

Why? How insecure a password are you planning on using that someone is going to gain access.

Besides what if the screen saver is NOT running (as in they managed to get in just after you walked away and the screen saver has not started yet)?

And if they can get through your username/password, then can't get get through your screen saver password, so then it would seem you need yet another layer of password, but wait, what if they get through that one, etc....

It is better to just have a very secure initial password.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

VNC / Screen Sharing Security Concerns

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up