[ On Monday, May 20, 2002 at 11:09:22 (-0700), Matthew Scholtz wrote: ] > Subject: VNC security on Win > > Hello All, > > I'm sure this has been asked a million times before, but since > there don't seem to be any archives available for this list, I have > no choice but to ask it again. Forgive the redundancy. > > My main concern with VNC is the possibility for brute-force attacks > on the password, since as far as I know VNC does not have any > functionality to allow only x password attempts before taking some > sort of defensive action. I'm not so worried about encrypting all > of the traffic, since in most cases I can set it up so that sending > truly sensitive text during a session is not necessary. But > someone getting access via a brute-force attack would be a > disaster. > > I know about the possibility of using SSH (and the possibilty of > doing this on Win using CygWin.) > > What I'm wondering is: short of that, is there any reliable way > under Win to protect against repeated password attempts? What > about in any of the offshoot VNC distributions? How have others > addressed this issue?
Hm. "My" VNC Windows server source (TightVNC 1.2.3, but also AFAIR AT&T VNC 3.3.3R9) does have some brute force password detection. It add an increasing timeout for each host that tries to connect for every invalid password attempt. This is not perfect (does not protect against distributed attacks from different hosts), it is quite effective. I think that this is about what you can get with reasonable effort. CU, Joe --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
