More info on Managing remote VNC connections safely (was Re: Firewall Connection)

James Sentman james at sentman.com
Sat May 9 08:30:00 EDT 2020 

So just some more info on this: There are 2 reasons that running SSH passed through to the internet is fairly safe. Right now my machine has that passed through and is being hammered by stupid people running scripts against the well known passwords database, but almost without exception the user they are hitting me with is root. There is no root ssh login even turned on in MacOS so it doesn’t matter how often they are refused or how long they try, even if my password is on that list (and it’s not because you can google for the list and download it and make sure!) there will never be a root login. If your user and password are on the list then they could guess your short username if you are just using your firs and last name concatenated and so then you might be in trouble so do verify that your short user name is not obvious from your email address and that whatever password you’re using it not in the well known passwords database.

The main reason that you do not want to leave VNC just passed through to the internet on it’s default port is that it doesn’t really use usernames as far as I can tell, so they don’t have to match that only hit a password. Additionally there seems to be a bug with it that it causes a large load at least on it’s own networking traffic when it’s being hammered like that. Even just receiving a few connection attempts a minute, which is nothing, my throughput to screen sharing on my house mac was horrible. I regularly upload new builds of XTension to it either via screen sharing and justdragging and dropping the file into it which normally works great, and then also via regular file sharing. Both things turned to molasses while it was being hit from outside like that. I can normally get upwards of 70megs a second file sharing throughput to that machine from this one over the gigabit ethernet pipe between my office and the closet, with them hammering on screen sharing it would only support a few hundred k a second or less. It was quite frustrating until I figured out what was happening. As soon as I shut down the router passthrough on the VNC port the problem went away.

So for now I keep screen sharing turned on for use inside the network, but keep ssh turned on shared to the internet as it seems to be able to happily reject all those scripts out there without any effect on the machine. When working with it in the house I can VNC normally as I”m on the same subnet, but from the outside I need to start an SSH tunnel. This is better than just turning VNC on and off as all the traffic back and forth is therefore encrypted as well. I don’t notice much or any difference in the screen sharing speed when doing it over an SSH connection. You can look up all the examples of starting an SSH tunnel from your laptop to elsewhere but you would run something like this on the remote laptop:

ssh -L 5901:127.0.0.1:5900 youruser at you.dyndns.net

The normal VNC port is 5900. So what I’m now telling SSH to do is to listen on port 5901 on my laptop, forward that over the secure connection and then connect it to port 5900 on the localhost that I am ssh’ing to. Once that is up, and you’ll get just a normal ssh shell after that with no further indication that it is running, you just startup vnc on your laptop but instead of connection to your dyndns type address you connect to localhost:5901 and magically you’re connected to the remote machine without having to have a passthrough or to expose anything but ssh to the outside world. You can also expose your web interfaces this way by the way. I have done that in the past but don’t do it regularly as there is no easy way to connect to that on iOS devices and there is an extra step in the regular connection of starting up that command. You’d run the same thing but replace the ports, instead of 5901 for the local port you might use 8080 and instead of the 5900 for the port on the server you’d use whatever port you have the web remote running on. Then in Safari you’d connect to localhost:8080 and you’d be instead actually talking to your remote machine.

There are several iOS apps that can also connect over an SSH tunnel like that. The one I’m currently using is called “remoter pro” and did cost a few bucks. I don’t use it often as the interface for using a desktop machine over vnc on an iPhone is pretty horrible. It does work in a pinch though if you don’t have your laptop with you.

If you would still rather manage it via turning the vnc subsystem on and off via the command line and don’t want to embed your admin password in the script then there is still a way to do it. You can use the same technique I did in the instructions for installing the new Alexa plugin. You need to add the command, whatever it is I haven’t actually ever looked that up, to the list of commands that your user is allowed to run as sudo without having to enter the password. You still have to use the sudo command, but you will not then be asked for the password nor do you have to include it in the command. Have a look at those install instructions here:  

https://machomeautomation.com/doku.php/supported_hardware/alexasudo#edit_your_sudoers_file

But instead of the long path to the XTension Alexa plugin use the path to the command. You can find out the full path to the command by using the “which whateverTheCommandIs” command and it will output the path in the terminal for you.

Then you can issue the command without having to give the password. But then so can anyone else logged in as you ;) I figure if they are already sitting at the machine physically or logged in via SSH then you’ve got bigger problems than also giving them VNC access at that point though ;) 


> On May 8, 2020, at 1:02 PM, Thomas Arman <tarman at me.com> wrote:
> 
>> Secondly,  Is there a solution to turn on/off Screen Sharing without including the admin password in my script?  I know that I can a “do shell script” feature to do this but, I would have to include the admin password to my knowledge.
>> 
>> The reason that I ask this is that in September, we have a trip planned and will be going to an island in the Caribbean for our twentieth anniversary.  We’ll have a “House Sitter” for an entire week and while I have all external addresses currently blocked,  I would love to be able to activate “Screen Sharing" when needed but not, leave it on constantly.  By blocking a lot of countries who are known for this kind of activity, I’m hoping to minimize the threat.  If I could use “WebRemote” to initiate “Screen Sharing”, this would be optimal.
>> 
>> I know some of you are in security so I’m hoping to get a solution, even if it’s not what I’m currently working on.  :)
> 

Thanks,
 James


James Sentman                       http://www.PlanetaryGear.org		http://MacHomeAutomation.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.machomeautomation.com/pipermail/xtensionlist/attachments/20200509/ea785467/attachment.html>

More information about the XTensionList mailing list