jalopy

Q: Can VNC access be allowed safely?

I recently came home and noticed that my iMac was doing something odd. It looked like someone was remotely controlling the desktop and displaying something that had to do with accessing a Wells Fargo Bank account through a browser. I pulled the ethernet cable and rebooted the machine, and after a forced restart found that there was some sort of remote screen control app installed on my machine (I didn't make notes and don't remember what the app was called), and my backup drive was locked. Fortunately the backup drive was just an issue of editing the owner permissions. I wiped the drive, reinstalled OS X (El Capitan), recovered my data from a backup, and everything seems okay.

 

What I'd like to know is whether or not there's a safe way to allow remote access to my machine. I have always had ssh and vnc enabled, and port forwarding enabled for these services on my router, so that I can access my machine remotely. I have no idea how my machine was broken into, but I'm assuming it was by guessing the vnc password. (The vnc password was also the admin password, which would explain how they were able to install software.) Are there known vulnerabilities to vnc on El Capitan that allow someone access without the password? Is repeatedly trying different passwords an effective attack in this case? Enabling two-factor authorization should take care of password guessing if that's the issue.

 

I would really like to be able to continue accessing my machine remotely, but only if it can be done more securely. Thanks for any helpful guidance on how that might be accomplished.

iMac with Retina 5K display, OS X El Capitan (10.11.5)

Posted on Jun 17, 2016 12:07 PM

Close

Q: Can VNC access be allowed safely?

  • All replies
  • Helpful answers

  • by Linc Davis,Apple recommended

    Linc Davis Linc Davis Jun 17, 2016 5:08 PM in response to jalopy
    Level 10 (207,926 points)
    Applications
    Jun 17, 2016 5:08 PM in response to jalopy
  • by jalopy,

    jalopy jalopy Jun 17, 2016 5:08 PM in response to Linc Davis
    Level 1 (11 points)
    Mac OS X
    Jun 17, 2016 5:08 PM in response to Linc Davis

    Thanks for the links. Can you tell me how Back to My Mac is different than enabling screen sharing and port forwarding? It sounds like it's the same thing with the added benefit that iCloud provides a convenient way to locate your other machines even if your ISP changes your IP address. (I use dynamic DNS for the same purpose). Is Back to My Mac somehow fundamentally more secure that using screen sharing and port forwarding?

  • by Linc Davis,

    Linc Davis Linc Davis Jun 17, 2016 8:02 PM in response to jalopy
    Level 10 (207,926 points)
    Applications
    Jun 17, 2016 8:02 PM in response to jalopy

    If you use two-factor authentication, it's definitely more secure.

  • by jalopy,

    jalopy jalopy Jun 17, 2016 10:33 PM in response to Linc Davis
    Level 1 (11 points)
    Mac OS X
    Jun 17, 2016 10:33 PM in response to Linc Davis

    Thanks, I understand that. Independent of using two-factor authentication I'm wondering whether there's a security difference between using Back to My Mac, and enabling screen sharing with port forwarding.

  • by jalopy,Apple recommended

    jalopy jalopy Jun 18, 2016 12:02 PM in response to jalopy
    Level 1 (11 points)
    Mac OS X
    Jun 18, 2016 12:02 PM in response to jalopy

    I'll add a partial reply to my own post. I misunderstood how broadly Apple's two-factor authentication was applied - as I currently understand it, it's actually limited to logging into iCloud. Enabling screen sharing and using port forwarding allows you to login remotely with just a password - Apple's two-factor authorization doesn't come into play. However, using screen sharing through Back to My Mac requires being logged into iCloud so it benefits from two-factor authorization.

  • by BobHarris,Helpful

    BobHarris BobHarris Jun 20, 2016 8:20 PM in response to jalopy
    Level 6 (19,272 points)
    Mac OS X
    Jun 20, 2016 8:20 PM in response to jalopy

    Back-to-My-Mac and ssh both require that you know the username AND the password.  BTMM as you have observed can have additional factors to the login.

     

    BTMM and ssh both encrypt the entire connected session, including the username/password actions.

     

    VNC (AND I DO NOT MEAN Screen Sharing)

    VNC does NOT require a username, just the password.

    VNC  sends the password across the internet as clear text.  No encryption.

    VNC does NOT encrypt the rest of the session.  While VNC traffic is not clear text, it is not encrypted, so it can be viewed with the correct software.

     

    Screen Sharing does require a username/password, and the username/password exchange is encrypted.

    By default Screen Sharing does not encrypt the rest of the session, but you can go to the Screen Sharing preferences and change that.

     

    Back-to-My-Mac does not require you to open any ports in your router.  The initial connection is established via Apple servers which facility finding the remote Mac and then after telling both systems where the other is locate, the Apple servers step out of the way.

     

    ssh uses a known port (22) and will be the subject of constant probes, just the the VNC port (5900).

     

    I personally take advantage of the fact that every ssh client will allow you to specify an alternate port for the connection

         ssh -p 23456 remote.host.name

         scp -P 23456 remote.host.name:file.to.copy /local/dir

         scp -P 23456 /local/dir/file.to.copy remote.host.name:/remote/dir

         sftp -P 23456 remote.host.name

    And every ssh GUI client I've seen also allows specifying the port to be used.

     

    Now you just tell your router to accept connections on port 23456 and direct them to port 22 on the Mac of your choice.  Most routers will allow you to do this internet port A directed to local Mac port B.

     

    Because you have NOT opened a known port on your router, it is much less likely to be probed non-stop looking for an opening.  This is NOT security, it is just keeping the useless noise to a minimum.

     

    23456 is just an example of a high port number.  Just pick a number less then 65535 and you should be fine.

     

    Since you are using ssh, why not tunnel your VNC transport over ssh, and then you do NOT need to open the VNC port on your router at all.  And as an added benefit, all your VNC traffic is encrypted including the password on the initial connection.

     

         ssh -p 23456 -L 34567:localhost:5900 remote.host.name

         open vnc://localhost:34567

     

    The ssh command will establish an ssh connection to the remote Mac using the 23456 router port you have opened and directed to port 22 of the remote Mac.

    The -L 34567:localhost:5900 ssh option will create an encrypted ssh tunnel connecting the local Mac's port 34567 to the remote Mac's port 5900 (the remote Mac's VNC port).

     

    At no time will your remote Mac's VNC port be exposed to the internet, as you will not have opened 5900 on your router.  You will ONLY be able to access it via the ssh tunnel, and the ssh connection is much more secure than VNC, especially if you use a good password, and you take the precaution of using a non-standard port on your router for ssh connections.

     

    You can create multiple tunnels on the same ssh command line.  For example, you could create a file sharing tunnel as well

         ssh -p 23456 -L 34567:localhost:5900 -L 45678:localhost:548 remote.host.name

         open afp://localhost:45678

         open vnc://localhost:34567

    This will create 2 tunnels.  One for VNC, and one for Appleshare File Protocol (AFP).

    The open commands will start a file sharing connection and a VNC connection to the remote Mac using the ssh tunnels.  Again, you do not open any new ports, just the ssh port and all communications are encrypted end-to-end.

     

    If you are using a non-Mac computer to make these connections, then you will have to use my suggestions as a guide, and translate them to the PuTTY or Linux or other Unix command set.

     

    All non-standard high port numbers are examples, and you should choose for yourself, just so long as you can remember them.

  • by TomWickline,

    TomWickline TomWickline Sep 5, 2016 8:48 AM in response to BobHarris
    Level 1 (8 points)
    Mac OS X
    Sep 5, 2016 8:48 AM in response to BobHarris

    I have fully ported Putty to Mac and it is certified by Softpedia as clean and virus free. I also have the application with Screen-Shots listed on MacUpdate here : https://www.macupdate.com/app/mac/57638/putty

     

    Cheers,

    Tom