Is there a downside to installing VNC?

Question

We have an Intel NUC in my university's language department that will soon host a web application used by faculty and students in the department. The NUC runs Ubuntu (14.10).

I'm comfortable with the terminal and SSH-ing into the server, however I find that a lot of tasks that I need to do are just so much easier through screen-sharing (VNC).

I suggested to our new technical director that we install VNC on this server to make my life a lot easier (in fact it had VNC installed before he was hired, and then he uninstalled it). However, he replied with the following comment:

I would much prefer not to run X or VNC on the server if we can get away with it. It is a server after all.

I really don't understand this logic. It isn't hooked up to a monitor; the only access into it through SSH. Is there some miraculous downside to having VNC access to a server that I am unaware of?

Obviously you're opening up another port for an attacker; rebuttal: we're behind two university firewalls (the main university network firewall as well as our subnet's own special firewall). VNC would only be able to be accomplished inside our subnet, so I'm at a loss as to why this would be an issue other than "it's another package to maintain", and with Ubuntu's apt package manager that becomes a non-issue.

What are the downsides of installing VNC on a server?

Edit: this isn't just a web server. It's hosting a number of other applications. Not sure if that makes a difference.

I can't imagine _anything_ you might need to do with a web server that would be easier using a GUI. Perhaps you should _also_ ask about whether there is a better way to perform the tasks you want to perform. — Michael Hampton, Aug 26 '15 at 23:11
@MichaelHampton It's not just a web server. We're a tiny lab, so it's running a few other services too. While I say I'm *comfortable* with the terminal, there are a number of things that would take (me personally) a long time to do if not through a GUI, which is why it was installed in the first place. — Chris Cirefice, Aug 26 '15 at 23:15
It's all about limiting surface. With more services more can go wrong and more can get hacked. Granted you said this but it remains true. Also personally I hate VNC. What about X11 Forwarding over SSH? — Michael Bailey, Aug 26 '15 at 23:37
@MichaelBailey Well I'm not a server administrator so I'm not used to using all of the utilities and what-not through SSH/terminal, so GUI-based tools for this kind of thing are what I prefer. He said *prefer not to run X or VNC*, and I'm assuming that *X* means *X11* (which I have used before and that's totally fine too). — Chris Cirefice, Aug 26 '15 at 23:39
So why do you need to use these tools on a server? Using a browser without a graphical interface will be useless in most cases - but you wouldn't consider running your browser on a server. What ever tool you are using just install it on your client and access whatever data you need on the server preferably via ssh. Maybe have a look into [sshfs](http://fuse.sourceforge.net/sshfs.html) — Ben, Aug 26 '15 at 23:50
I don't want to post this as an answer, because it doesn't answer the question "What are the downsides of VNC", but to elaborate on the comment by @MichaelBailey: You don't need X or VNC on the server. SSH to the Server with X forwarding allows graphical programs to actually run on the server while displaying the windows on an X11 server running on your **local** machine. You only need some shared X11 libraries on the server which will not waste resources while you have not program running that uses them. IMO a good compromise. — Gerald Schneider, Aug 27 '15 at 12:41
Another good option in a lot of circumstances is [sshfs mounting](https://help.ubuntu.com/community/SSHFS). Doesn't require installing X11 libraries remotely, but lets you use graphical editors on your local machine. — Karl Bielefeldt, Aug 27 '15 at 19:15
Have you tried using `screen`? I cannot imagine any task which VNC would do better than `ssh` and `screen`. — kasperd, Aug 27 '15 at 19:48

score 42 · Accepted Answer · answered Aug 26 '15 at 23:53

42

There are a great many reasons:

Attack surface: more programs, especially networked ones, means more opportunities for someone to find a bug and get in.
Defect surface: as above, but replace "someone" with "Murphy", and "get in" with "ruin your day". Actually, "ruin your day" probably applies to the previous point, too.
System efficiency: X11, and the GUI environments that people tend to run on them, consume a decent amount of RAM, especially on a limited resources system like a NUC. Not running them means more resources for doing useful work.
Operator efficiency: GUIs do not lend themselves to scripting and other forms of automation. Clicking on things feels productive, but it's actually about the worst way to do something deeply technical. You'll also find your future employment opportunities severely limited if you can't script and automate away your job -- the industry is going away from GUI admin tools. Heck, even Windows server can be installed GUI-free these days, and if that doesn't make you think about the relative merits of only knowing how to click on things, I really don't know what to say to you.

answered Aug 26 '15 at 23:53

womble

95,029
29
173
228

1

Dang it womble.. you beat me to the punch by like 30 seconds again. :) Great answer. – Tim Brigham Aug 26 '15 at 23:55
3

Lots of time spent with Mavis Beacon in my youth has to have *some* benefits... – womble Aug 26 '15 at 23:56
Great answer. In my life, automating away my job isn't a skill that I *need* to learn. It'd be nice to learn it, but it won't have any effect on my employability, and frankly it'll take away too much of the time that I could be using to do other things. Other than that, your answer had all the points I was expecting :) – Chris Cirefice Aug 27 '15 at 00:01
1

@ChrisCirefice there is a difference between automating your job (with tools like Puppet and such) and simply *doing* your job right (clicking on buttons on a GUI isn't considered right for serious sysadmins). – André Borie Aug 27 '15 at 01:08
@AndréB. Good thing I'm not a sysadmin. I'm a student working on a webapp and I don't personally manage the servers. – Chris Cirefice Aug 27 '15 at 02:32
6

@ChrisCirefice then I suggest you ask someone to do things the right way instead of compromising the security of production servers for a tiny bit of ease of use. – André Borie Aug 27 '15 at 02:36
8

That's a touch harsh, Andre. I'd like to think that Chris has a slightly better understanding of the implications of his preferences now, no need to beat the stuffing out of him for it. – womble Aug 27 '15 at 03:06
I'd like to add to the "system efficiency" part - it's not just the ram - VNC requires some network bandwidth and _CPU power_ - even basic compression of standard sized desktop will eat up tons of cpu (especially compared to CLI via SSH) – Sebi Aug 27 '15 at 03:33
@AndréB. I think you're a bit snarky considering you haven't really read my question, or other comments at all. These servers we use hardly qualify as "production". They host a few applications that are literally only used by a *single room in one building at my university*. They have no super-valuable information on them as they are mostly just file hubs and middle-men to connect applications like Dill. They are behind 2 network firewalls, one specifically there to block out-of-subnet traffic (i.e. for services like VNC). So cut it out with the bad attitude dude. – Chris Cirefice Aug 27 '15 at 12:59
1

@ChrisCirefice it's either a server or it's not, though if the desktop environment is already on there, installing *just* VNC won't do much harm as long as you access it from the trusted network or use an SSH tunnel. – André Borie Aug 27 '15 at 13:01
4

@ChrisCirefice be *really* careful thinking things like "no super-valuable information" and "behind firewalls". The value of data is in the eye of the beholder, and the role of systems can subtly change over time, so that more valuable (to an attacker) data slowly ends up accumulating on a system which everyone thinks isn't worth defending... and then you end up on the front page of every news website because something embarrassing was leaked. – womble Aug 27 '15 at 20:33

André Borie · Answer 2 · 2015-08-27T12:42:11.363

The problem isn't VNC - don't get me wrong, VNC is a horrible protocol and has many flaws (the biggest being the lack of encryption support so everything goes over the network in plain text), but it isn't the main reason its usage is not recommended on servers.

You're going to install VNC to access what, a black screen ? No, you wanted to access an entire desktop environment, and that is the real problem.

Once you install all this desktop-grade Gnome (or similar) software you can already consider your server compromised, since there are so many bugs left to be exploited in this horrible, huge collection of applications (besides the fact that it's not designed for productivity and uses a ton of resources). Once of the other reasons why I don't recommend this software and most of the Linux desktop environments is that they take over the entire system almost like a rootkit, and implement their own versions of everything (authentication ? No more rock solid users and groups, let's run this Policykit nonsense as root that gives permissions based on some unreadable, obscure XML files... configuration ? Who needs human-readable config files ? Let's store everything in binary databases that you can't really see nor edit unless you use their provided utilities, just like the Windows registry, and also let's start a bunch of daemons as root to use up resources even when you're not using the desktop).

Trying to install a Gnome desktop environment on my Archlinux server tells me "Total Installed Size: 1370.86 MiB". That is huge, imagine the extra attack surface this ex-server will have once it's installed. Other desktop environments aren't much better.

"VNC is a horrible protocol and has many flaws (the biggest being the lack of encryption...)" In situations were one needs VNC, not a server environment, your issue is averted by tunneling your VNC sessions through ssh. — Keith Reynolds, Aug 27 '15 at 01:52
@KeithReynolds yeah, but it should be built-in especially when you compare it to its concurrents like the more "up to date" RDP which is encrypted right away (safe as long as you trust the server's certificate). — André Borie, Aug 27 '15 at 02:04
One design philosophy is to have every possible solution built in(generally typical of MS developers), and the other is to piece together what you need(generally typical of Linux developers). Regarding VNC: When security is needed over an untrusted network ssh, requires an account and provide encryption. When security isn't a concern, sharing ones desktop doesn't require a system account or the overhead of encryption. — Keith Reynolds, Aug 27 '15 at 02:39
@KeithReynolds another issue of VNC is that it sends pure bitmaps instead of draw commands which are drawn on the client side like RDP. This makes VNC horrible to use on anything besides a local network while RDP remains fine even on crappy mobile networks. — André Borie, Aug 27 '15 at 19:55

score 9 · Answer 3 · answered Aug 27 '15 at 01:39

Obviously you're opening up another port for an attacker; rebuttal: we're behind two university firewalls (the main university network firewall as well as our subnet's own special firewall). VNC would only be able to be accomplished inside our subnet, so I'm at a loss...

Never assume that because your system is behind a firewall, on a private network, you don't need to worry about security. Many, if not most, successful intrusions are performed by insiders (employees, students, etc) that have access to said networks.

score -8 · Answer 4 · answered Aug 27 '15 at 10:38

-8

Try this to keep the technical director happy:

Install VNC and whatever desktop you like
Do NOT install a screensaver of any kind. Why? You don't have a screen, and a desktop just sitting there doesn't consume many resources.
Do NOT forward the VNC port. If you need to use it, tunnel the VNC port (5900) via SSH (port 22) and connect to it that way.

This process gets you encryption and all the security of SSH, which is already open. You don't add any security issues you didn't already have before.

I already do this on my own server, there is no noticeable additional delay in the VNC process compared to a direct connection.

answered Aug 27 '15 at 10:38

paul

9

9

"*You don't add any security issues you didn't already have before*" isn't even *close* to true. Installing extra code - and Andre B above gives you some idea how much extra code we're talking about - gives more opportunities for privilege escalation by (ssh'ed-in) local users. – MadHatter Aug 27 '15 at 11:03
@MadHatter "privilege escalation by (ssh'ed-in) local users" but that's the point - SSH is considered secure enough, and as it's a server there won't be many local users. If you want total security, turn the box off. Everything else is a balance. – paul Aug 27 '15 at 11:28
4

I agree that security is a balancing act, but claiming that acts (installing extra software) that are part of the trade-off have no downside is disingenuous. Saying there are few ssh'ed in users is equally misleading: the question's author says he ssh'es in right now, and we have no way of knowing how many others do so. – MadHatter Aug 27 '15 at 11:40
@MadHatter Also precisely my point. OP has determined that SSH is secure enough, so we can leverage it for other services without exposing the port for the other services. Andre's main concern is VNC's lack of encryption, tunnelling over SSH dismisses that concern. – paul Aug 27 '15 at 12:03
4

"*OP has determined that SSH is secure enough*". Security isn't a property that you have or don't; it's a degree of preparedness against a given threat model. If the threat model is "*unauthorised access by remote user*", then yes, `ssh` is good defence. If the threat model is "*privilege escalation by authorised local user"*, then `ssh` is no defence, and installing tons of extra code on the server increases the attack surface significantly. Womble is an experienced sysadmin with about seventy thousand times your reputation on this site, so you might want to go easy on the insults. – MadHatter Aug 27 '15 at 12:29
This could be best described as a RGE (resume' generating event) if the OP was to intentionally try to circumvent his directors wishes. – Brandon Xavier Aug 27 '15 at 13:09
@BrandonXavier The question is "how to convince the sysadmin....", tunnelling an insecure service via a secure service removes one issue, making the desktop low-impact removes another. – paul Aug 27 '15 at 15:07
@MadHatter what does the reputation ratio have to do with ... well, anything? – paul Aug 27 '15 at 15:08
@paul Uh . . . no. The question is "What are the downsides of installing VNC on a server?" Irritating the boss (or worse) by installing software he explicitly removed is certainly a "downside" (albeit not necessarily a technical downside) – Brandon Xavier Aug 27 '15 at 15:32
@ChrisCirefice : What you're really trying to do here is understand your boss's reasons so you can convince him otherwise, yes? – paul Aug 27 '15 at 15:47
1

@paul No, my main concern wasn't about the lack of encryption of VNC (it can be mitigated using SSH tunneling), the main issue is the enormous attack surface of any desktop environment. – André Borie Aug 27 '15 at 17:01
3

@paul: you're right, I have absolutely no sense of balance. I'm not Fox News: I don't need to be "fair and balanced". I'm a sysadmin: I need to be *right*. – womble Aug 28 '15 at 08:18

Is there a downside to installing VNC?

4 Answers4