How secure is it running a VNC service?

Soldato
Joined
14 Aug 2018
Posts
3,374
I've run a VNC service for years but recently hadn't done so due to issues with Win10 working with the TigerVNC variant I used. I thought I'd try the original TightVNC that I used to use and it worked great.

During my initial setup and test phase I configured the service with just a simple one letter lower case character to make it quick and easy to test. Before I could configure it with my normal 14 character (with symbols numbers etc) somebody hacked into my computer and took control. I wasn't too surprised and found it quite interesting, as I've read about this before, so watched to see what they would do. They opened a browser and went to Paypal.com, no doubt to do a transfer to an account. I then shut them down, though my Paypal password is never stored (or any other bank/money details).

It got me thinking whether my normal 14 character password would prove too much for current hacking tools. If you google "VNC Hacked" you see pages that blatantly offer several tools to hack VNC logins.
 
Last edited:
Soldato
OP
Joined
14 Aug 2018
Posts
3,374
Use a VPN. Don't leave things like that open to the world.
As far as I know a VPN won't allow me to control my computer from my phone, which is what I currently do via VNC. I could use Remote Desktop though that did not work well with multiple monitors and I'm running 4.
I have a VPN server running on my Asus AC68U router.
 
Associate
Joined
11 Jul 2011
Posts
754
I mean you should be basically fine unless you aren't using the full program and some hacked together crap.

You can set the port to any you wish and behind a NAT firewall unless someone is specifically targeting you then they won't go past the hassle of scanning past the basic 1-1000 scan that they do. I used VNC for years before switching to built in remote desktop and never had any issues.
 
Associate
Joined
19 Jul 2011
Posts
2,343
As far as I know a VPN won't allow me to control my computer from my phone, which is what I currently do via VNC. I could use Remote Desktop though that did not work well with multiple monitors and I'm running 4.
I have a VPN server running on my Asus AC68U router.

You load a VPN client on your phone (Android had them built in) and only VNC after that. Leaving VNC on the live internet is asking for attack attempts.
 
Soldato
OP
Joined
14 Aug 2018
Posts
3,374
You load a VPN client on your phone (Android had them built in) and only VNC after that. Leaving VNC on the live internet is asking for attack attempts.
Ok, I have a VPN client on my phone that I normally just use to connect back to my network when I'm abroad so I can watch IPlayer or I'm on an unsecure WiFi etc.

So do I configure VNC so that it can only be accessed from my network?
 
Associate
Joined
19 Jul 2011
Posts
2,343
Ok, I have a VPN client on my phone that I normally just use to connect back to my network when I'm abroad so I can watch IPlayer or I'm on an unsecure WiFi etc.

So do I configure VNC so that it can only be accessed from my network?

I'm taking a guess that your host machine (running VNC) is behind a firewall?
The easiest way is to stop forwarding that port from the router/firewall to the host machine
 
Man of Honour
Joined
13 Oct 2006
Posts
90,820
I wouldn't expose a machine running VNC to the internet these days without multi-factor authentication ideally token or certificate - last time I had one setup on a non-default port it was found in minutes and slammed by login attempts - probably wouldn't have lasted more than a few weeks at the rate they were going.

If you've got any coding experience I'd probably grab the TightVNC source and do something non-standard to it so generic tools can't just login.
 
Soldato
OP
Joined
14 Aug 2018
Posts
3,374
Own a Synology? Setup OpenVPN on it and forward a port for VPN to the Synology.

Own a Pi? Install pivpn
I own neither. ;)
My Virginmedia SH3 is in modem only mode.
I have an Asus AC68U with Merlin firmware running an OpenVPN server.
My Win10 PC is running TightVNC 2.8.11 64-bit

I normally control my PC from my phone using Jump Desktop v7.1.4. I do this to run some software on the PC and need more than just access to files.
 
Back
Top Bottom