0

I use TightVNC behind my home LAN, but am open to alternative (free) suggestions.

Many's the time that I have wished that I could have remote access to my home PC (which must run Windows, for business reasons), generally just for a few minutes. Until now, I have avoided doing so, but it would be nice to have occasionally.

How could I reduce the attack vector?

I was thinking of coding a little Python script to run on the machine and react to a specially titled email, or the appearance & disappearance of a specially named (blank) file on a website, to start/stop the Tight VNC server. Of course, there is no guarantee of immediate, or even timely, delivery of email, and I don’t want to be permanently polling a website, but I could live with access after a few minutes of my action.

  • Would that be a good mechanism?
  • Is there something more secure?
  • Any general hints & tips on reducing the attack vector on having a VNC server running, even if only for a few minutes, on my home PC (which probably allows access to everything behind the router if compromised)?

I prefer free solutions to paid, and off-the shelf to homebrew, but as a software developer I am not averse to rolling my own if needs must.

Obviously, I don’t want to take a security through obscurity approach.

Mawg says reinstate Monica
  • 1,368
  • 2
  • 13
  • 26
  • The email trigger to start the server is similar in concept to [port knocking](https://en.wikipedia.org/wiki/Port_knocking). – Sjoerd Sep 12 '18 at 11:19
  • Install a proper OS and run MS Windows in a VM? (then you could do port knocking, ssl/ssh tunneling, 2FA, Fail2ban, IPSec....) ;) – symcbean Sep 12 '18 at 11:46
  • Of course you could just provision a better operating on, say, a Raspberry Pi and get it to fire a wake-on-lan packet at the Windows PC when you want to connect remotely. – symcbean Sep 12 '18 at 11:51
  • Good ideas, both, but adding a level of complexity which might be off-putting to many – Mawg says reinstate Monica Sep 13 '18 at 06:29

2 Answers2

2

A typical solution is to use a VPN. A VPN makes it possible to connect to your home network (and subsequently to TightVNC) and VPN authentication is often sufficiently hardened to expose to the internet.

Another option is to use a SSH server, which can act as a poor man's VPN. This is also TightVNC's own advice:

In the mean time, if you need real security, we recommend installing an SSH server, and using SSH tunneling for all TightVNC connections from untrusted networks.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • I use [IVPN](https://www.ivpn.net/), but obviously, that's for outgoing traffic. So, if I understand correctly, you are recommending that I install a VPN server on my home PC? If so, should I "belt & braces" and also install an SSH server, or is that just overkill & the two suggestions an either/or? – Mawg says reinstate Monica Sep 12 '18 at 09:18
0

No, No, No, No, No.

You should NEVER, in ANY circumstances, reveal any of remote services ports such as SSH, VNC and RDP.

You must open one single vpn port and access your vnc server through the vpn connection.

It's way better to get your vpn gateway hacked then to get your remote service hacked.

John Doe
  • 124
  • 4
  • 2
    Could you explain why you shouldn't reveal remote services? What makes VPN different that you could expose a VPN service? – Sjoerd Sep 12 '18 at 11:01
  • @Sjoerd Probability because every service has a vulnerability. It's better to have a VPN gateway compromised, attacked, DoSed, buffer overflowed or breached then to get a remote service being done the same thing. Also, gaining access of a private network doesn't mean your machine compromised if you have appropriate authentication. – John Doe Sep 12 '18 at 11:04
  • 2
    I don't think this is a constructive answer as it doesn't explain anything. I also don't understand why it would be better to have your VPN hacked than your SSH server. – Sjoerd Sep 12 '18 at 11:10
  • @Sjoerd It's simple. Not every attacker who successfully invaded a local network can compromise a machine. Nearly every attacker who successfully invaded a remote protocol can compromise a machine. – John Doe Sep 12 '18 at 11:13
  • Gosh - have you told Google and Amazon - they let just about *anybody* connect to their webservers! – symcbean Sep 12 '18 at 11:37
  • @symcbean how can you even compare web services and remote protocols? – John Doe Sep 12 '18 at 11:42
  • 1
    I think your answer is a little overzealous and you have missed a few important details. You are advocating the use of a VPN gateway that is separate from the target system. You are not clear on this point. – schroeder Sep 12 '18 at 11:46
  • 2
    And I think there is a [citation needed] on never, under any circumstances exposing SSH, but VPN is ok. – schroeder Sep 12 '18 at 11:48