Join Log in
Score:0
hYEOnOO null avatar Ubuntu

Infinite and continuous intrusion(attack) attempts through the VNC server

cn flag
hYEOnOO null

I have previously posted the following question.

For reasons of unknown cause, a huge size of syslog continues to be created

I hastily concluded that this problem was caused by docker, but the same problem continued to occur, so I tried to investigate a little more.

As a result of checking the log in real time through the journalctl-f command,

When I turned on screen sharing,

11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      106.246.244.122
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      221.165.214.185
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      43.251.104.11
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s Client Protocol Version 3.3
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s [IPv4] Got connection from client haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s   other clients:
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      185.245.42.163
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      203.62.155.99
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      87.251.75.138
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      106.246.244.122
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      221.165.214.185
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      43.251.104.11
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s      haumea.vds.sh
11mon 09 10:43:17 bio507-3 vino-server[3584]: Deferring authentication of '185.245.42.163' for 5 seconds
11mon 09 10:43:17 bio507-3 vino-server[3584]: VNC authentication failure from 'haumea.vds.sh'
11mon 09 10:43:17 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 17s rfbAuthPasswordChecked: password check failed
11mon 09 10:43:18 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 18s Client Protocol Version 3.7
11mon 09 10:43:18 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 18s Advertising security type 18
11mon 09 10:43:18 bio507-3 vino-server[3584]: 09/11/2021 10h 43m 18s Advertising security type 2

When I turned off screen sharing,

11mon 09 10:47:14 bio507-3 vino-server[3584]: 09/11/2021 10h 47m 14s rfbAuthPasswordChecked: password check failed
11mon 09 10:47:15 bio507-3 vino-server[3584]: 09/11/2021 10h 47m 15s Client Protocol Version 3.7
11mon 09 10:47:15 bio507-3 vino-server[3584]: 09/11/2021 10h 47m 15s Advertising security type 18
11mon 09 10:47:15 bio507-3 vino-server[3584]: 09/11/2021 10h 47m 15s Advertising security type 2
11mon 09 10:47:15 bio507-3 vino-server[3584]: 09/11/2021 10h 47m 15s Client returned security type 2
11mon 09 10:47:15 bio507-3 vino-server[3584]: Deferring authentication of 'haumea.vds.sh' for 5 seconds
11mon 09 10:47:17 bio507-3 systemd[2970]: Stopping Vino VNC server...
11mon 09 10:47:17 bio507-3 systemd[2970]: Stopped Vino VNC server.

When ubuntu's screen sharing was released, it was found that the issue disappeared.

This leads to the estimation that the security of sharing provided by ubuntu is weak. In other words, it is estimated that someone automatically attempts to log in to my ubuntu server using the program.

I want to allow only vnc access of a specific IP to prevent this. (The IP for remote control of my server is fixed.)

I did a lot of googling, but I couldn't find any proper information about it.

I'm using a vino, I want to know how to block vcn login attempts of unauthorized IPs.

Thank you.

55
0 + 0
vnc
Organic Marble avatar
us flag
Organic Marble
You can tunnel the vnc connection over ssh.
2
Reply
pe flag
cmak.fr
and use fail2ban
1
Reply
Score:0
user10489 avatar Ubuntu
in flag
user10489

VNC itself is not a very secure protocol. Best recommendation is to tunnel vnc access over ssh and not open vnc to your network.

Additionally, if your ssh port is getting attacked, it is fairly easy to install fail2ban and add a jails.local file to block repeated login attempts.

Finally, if you want to limit access to specific IPs or a specific range of IPs, you should install a firewall like ufw or firewalld and configure it.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.