Find the answer to your Linux question:
Results 1 to 5 of 5
Hello, I've two internet based server ( xx.xx.xx.xx and yy.yy.yy.yy ) The Y server is running VNC server and is responsible for answering to VNC sessions. But I need to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3

    VNC Proxy


    Hello,
    I've two internet based server ( xx.xx.xx.xx and yy.yy.yy.yy )
    The Y server is running VNC server and is responsible for answering to VNC sessions.

    But I need to hide the IP of Y server so I want X server to be as VNC Proxy and redirect all VNC sessions to Y server.

    I guess the best way is to use iptables but actually I can't get it working so any suggestion about iptables rules is welcomed.

    Regards

  2. #2
    Just Joined!
    Join Date
    Jul 2010
    Posts
    53
    one simple way is to use ssh to establish the tunnel - for example for vnc display :2 on your server_x you can do:

    Code:
    ssh -L xx.xx.xx.xx:5902:localhost:5902 server_y
    if you have vnc running on server_y then connections to server_x will use that tunnel transparently. things like DISPLAY in the vnc session will point to localhost instead of yy.yy.yy.yy - doesn't completely obfuscate that ip but is an easy start.

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3
    Quote Originally Posted by chaosless View Post
    one simple way is to use ssh to establish the tunnel - for example for vnc display :2 on your server_x you can do:

    Code:
    ssh -L xx.xx.xx.xx:5902:localhost:5902 server_y
    if you have vnc running on server_y then connections to server_x will use that tunnel transparently. things like DISPLAY in the vnc session will point to localhost instead of yy.yy.yy.yy - doesn't completely obfuscate that ip but is an easy start.
    Thanks, but I believe this is not a secure way.

  4. #4
    Just Joined!
    Join Date
    Jul 2010
    Posts
    53
    you need to be more clear about what you consider security then - or are not asking the actual question to which you want an answer. the answer i've given you is a production solution in many financial institutions and has undergone significant security audits.

    given that you are intending on opening up a vnc session to the machine in the first place, then using encrypted traffic, and obfuscating the VNC server ip from any connection you allow is your best step towards being secure. the only real issue with that approach is that you expose the ip address of server_x - which was in your original request.

    a further option is to originate the ssh tunnel on a 3rd machine - which would be the ONLY ip address you expose - and have it offer the VNC connection tunneling THROUGH your server_x to server_y.

    by offering vnc connectivity to the machine at all, you're making an inherent choice about security to the machine. this way at least the traffic is thoroughly encyrpted, the tunnel can only be setup with permissions to your secured servers - this you can lock down to require key-based security and entirely disable password authentication for ssh access.

    thereby reducing your security exposure to your vnc passwords and the permissions of account under which you start the vncserver on your server_y


    to go further, you need to setup 1 or 2 dmz networks - and reverse proxy.

  5. #5
    Just Joined!
    Join Date
    Aug 2010
    Posts
    3
    Quote Originally Posted by chaosless View Post
    you need to be more clear about what you consider security then - or are not asking the actual question to which you want an answer. the answer i've given you is a production solution in many financial institutions and has undergone significant security audits.

    given that you are intending on opening up a vnc session to the machine in the first place, then using encrypted traffic, and obfuscating the VNC server ip from any connection you allow is your best step towards being secure. the only real issue with that approach is that you expose the ip address of server_x - which was in your original request.

    a further option is to originate the ssh tunnel on a 3rd machine - which would be the ONLY ip address you expose - and have it offer the VNC connection tunneling THROUGH your server_x to server_y.

    by offering vnc connectivity to the machine at all, you're making an inherent choice about security to the machine. this way at least the traffic is thoroughly encyrpted, the tunnel can only be setup with permissions to your secured servers - this you can lock down to require key-based security and entirely disable password authentication for ssh access.

    thereby reducing your security exposure to your vnc passwords and the permissions of account under which you start the vncserver on your server_y


    to go further, you need to setup 1 or 2 dmz networks - and reverse proxy.
    Thanks, I've changed my mind,
    But if it was possible to use simply iptables or a proxy server ( like apache ) that would be great.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •