Hi, I was just telling someone that without ssh, VNC is not secure, but no less secure than a telnet or hummingbird session. Then I thought about it and realize that maybe it isn't even that secure. When trying to log onto a unix box via some nonVNC way, the person can only try so many times before something happens (I'm not sure what, but I think the user is locked out, or there is a log of the multiple failed attempts). I don't feel like testing my system administrator's patience by experimenting. Is there a way to prevent an attacker from repeatedly trying to connect to a vnc server? Unless the number of failed attempts are limited, someone could probably write a script to run through randomly generated passwords until a connection is made. Of course, he/she must know the display number to properly specify the server, but if VNC becomes popular, a user with an account on the same system can easily query the system to find what VNC processes are running, as well as their corresponding display numbers AND process owners. That goes a long way towards being able to make repeated attempts to connect.
Fred -------------------------------------------------------------------------- Fred Ma Department of Electronics Carleton University, Mackenzie Building 1125 Colonel By Drive Ottawa, Ontario Canada K1S 5B6 [EMAIL PROTECTED] ========================================================================== --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
