I have browsed through the list with multiple queries. All seem to have the same conclusion. Nothing to be done about the fact that port 6001 (and up if multiple instances are started) is left open for connection on all network interfaces.
One of my UNIX firewall servers was hacked over the weekend. I'm not saying VNC was the door the intruder used. I have restored a backup image, and then have tighten the server down further. I now have the server closed but for 3 ports with VNC off and 4 ports with VNC on. The ports are 21, 23, 80 with VNC on port 6001 is also open. Using telnet to hack at the ports, 21, 23, and 80 close immediately. Port 6001 stays open for a while and then closes. In that time I'm concerned that the X11 service at port 6001 is vunerable to a buffer overflow attack. I'm not a network newbie, nor am I a network "expert"; but there must be a way to get the VNC service to listen only on one interface.
In reading through the mailing list archive and the FAQ's, I'm now starting the VNC service as:
vncserver -interface <internal-ip-address>
I took the effort to download the 3.3.7 source code. There are two source files that refer to port 6000. I suspect the code could be modified to force the X11 server to listen on only the address specified by the "-interface" parameter. The source information is:
Version: 3.3.7
UNIX source. File: Xvnc/programs/Xserver/hw/vnc/init.c
Function: CheckDisplayNumber
Line: 695
Fragment: addr.sin_addr.s.addr = htonl(INADDR_ANY);File: Xvnc/lib/xtrans/Xtransam.c
Function: MakeAmConnection
Line: 470
Fragment: tcpconf.nwtc_remaddr = ipaddr;
ipaddr comes from phostname which is passed into this function.
Could someone from the VNC software development point me in the correct place to force VNC's X11 to listen on one network interface in a multiple interfaced host. Or, better yet, post a patch or updated version of VNC that really addresses the issue.
For now though. VNC only get started when it is actually needed.
Thank you.
Tim
-- ---------------------------------------------------------------------- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x265 1725B Sismet Road Fax: 905-625-6348 Mississauga, Ontario, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 ---------------------------------------------------------------------- _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
