Re: Setup TightVNC Process Questions
Kertesz Laszlo <laszlo.kertesz <at> gmail.com>
2012-04-17 19:10:06 GMT
Dave Ihnat wrote:
> On Mon, Apr 16, 2012 at 09:03:44AM -0500, Stan Beck wrote:
>> I had my sister-in-law install the TightVNC
>> server in their computer. I have the TightVNC installed on mine. They are
>> using a cable modem. I talked to their cable provider and they have opened
>> up port 5900. Is there anything else I need to have their cable provider
>> do? I am guessing I need to enter their IP address to connect, but I am
>> also guessing that will change everytime the start the computer and having
>> them get that for me might be a problem.
>
> A few things. First, the cable provider rarely, if ever, blocks ports
> other than, sometimes, SMTP (25).
>
> But more importantly, it's a *really bad idea to open VNC on the Internet,
> especially on the standard port. Bad guys scan, and it's a well-known
> port; you're one password away from being pwned.
>
> And one other issue. They *do* have a hardware router/firewall appliance,
> right? This is a really, really good idea. If they don't, get one for
> them, program it at home, and send it to them. Make sure to change the
> default password.
>
> However, setting up to run VNC over the Internet securely requires a fair
> bit of armwaving. Read the following--and if it's all too much for you,
> just skip to the section on TeamViewer.
>
> Next, install and set up CygWin on their machine, and especially the
> OpenSSH server. Why? So you can establish a secure SSH connection to
> their machine. This is MUCH more secure than just running VNC on the
> 'Net.
>
> You'll want to move even that from the default port of 22 to something
> else--say, 22000--by editing /etc/sshd.config (see the following notes.)
>
> You do this by going to http://www.cygwin.com, download the "startup.exe"
> file--I recommend you create something on their hard drive like
> C:\Data\CygWin, and put it there. Then install from a server; pick
> one nearest to them geographically, but it doesn't really matter much.
> Run that program from within the package directory--the one created
> above--selecting the following (screens will offer this in this order):
>
> 1. Install from Internet.
> 2. Keep the Root Directory as C:\cygwin (the default)
> 3. Local Package Directory should be C:\Data\CygWin
> 4. Use "Direct Connection"
> 5. Select an "Available Download Site".
> 6. You'd now be given a dialog box "Select Packages". There's a
> bewildering plethora of possible packages; the only one we're
> interested in is under "Net". Select "openssh".
> 7. Let it crunch through the download and installation.
> 8. Once it's done, you should have a "Cygwin Terminal" icon on the
> desktop. Double-left click to open this. (Make sure you're running
> under an account with Administrative access to the computer.)
> 9. Run "ssh-host-config". Pretty much take all the defaults--do select
> "privilege separation", and if it asks, let it create an account.
> 10. Edit the file /etc/sshd.config. Near the top, there'll be a line
> telling ssh what port to use--the default is 22. Change that to
> 22000 (or some other high number under 65535.)
> 11. Under Services in Administrative tools, start the SSH server that
> CygWin installed.
> 12. In their hardware router appliance, configure it to forward that
> port to their DHCP-assigned IP address. If the router gives you the
> ability to "reserve" an IP address (most today do), do that
> for their current address assignment.
> 13. Now run something like PuTTY to connect to their Internet IP address
> using the port you selected--e.g., 22000. Look at "tunneling" in
> PuTTY; tell it to forward local port 6000 to 5900 on their internal
> IP address. For instance, if they're assigned address 192.168.1.100,
> it would be 192.168.1.100:5900.
> 14. Finally, run the VNC viewer and connect to "localhost:6000". You
> should get the VNC login password request, and finally a VNC screen.
>
> There's still a missing piece. You can't know their IP address; either
> they'll have to give it to you (by going to, say, www.whatismyip.com), or
> you'll have to find a free Dynamic DNS server and install a client program
> (check out http://freedns.araid.org).
Ssh in its own is a good thing but setting it up on Windows might become
a little difficult. There are prepackaged versions such as copssh that
work quite well.
But ideally is best to use the server side on your router where you can
control everything. VNC can be used as the protocol, but only with some
kind of encrypted connection. I use 2 things - VPN (openvpn) and stunnel.
1. A VPN (virtual private network) is a client-server software that
allows secure connections between 2 or more remote computers (on the net
or whatever). Now there are many flavors of it including a crappy
version included in Windows.
But the one really good is OpenVPN (its opens ource). It works on any
platform and it is an industry grade secure software. It is very very
stable (on Linux at least).
2. stunnel is a simple program that connects 2 ports on 2 computers
creating a secure tunnel. It can be used for tunneling any tcp
connection (that uses only 1 port) through it. It doesnt need much
setup, it is ideal for quick and secure remote support.
The above methods require networking knowledge, but are better than
proprietary solutions from control and privacy point of view. If setup
correctly they are no less secure or reliable. Add the fac that you have
your own encryption between 2 points makes it more secure (teamviewer is
a secure as your password).
>
> TEAMVIEWER
> ----------
> Now you ask--how do I do all this whan I'm hundreds of miles
> away? The simplest answer is to use something like TeamViewer
> (http://www.teamviewer.com). It's free for personal use. Install the
> full package on your machine; have them click on the "Join Remote Control
> Session" on that page, and run the program that's downloaded. It will
> offer an ID and Password; they read that to you, you enter it in your
> running copy of the full TeamViewer, and you'll have control over their
> machine.
>
> And, in fact, if all of this is daunting to you, just use TeamViewer to
> support them and skip VNC. You'll have to have them run the local program
> and give you their ID/Password every time, but it's far less work to set
> up. (Note that there are other such packages out there--this is just one
> that's worked well and is free for personal use.)
Teamviewer runs just fine in service mode. Just assign a fixed good
password and set it to start with Windows.
The ID remains the same unless you reinstall the OS.
I do agree that these types of solutions are simpler and appeal to the
masses if you dont know about setting up private vpns. Only catch is
that you depend on the service provider's good will (teamviewer in this
case). It happened to me a few times that i was arbitrarily disconnected.
BTW there are similar free solutions such as logmein or impcremote.
>
> Cheers,
> --
> Dave Ihnat
> ignatz <at> dminet.com
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> ___________________________________________________________
> TightVNC mailing list, VNC-Tight-list <at> lists.sourceforge.net
> To change your subscription or to UNSUBSCRIBE, please visit
> https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
--
--
O zi buna,
Kertesz Laszlo
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
___________________________________________________________
TightVNC mailing list, VNC-Tight-list <at> lists.sourceforge.net
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
RSS Feed