SUMMARY: VNC Security?

From: Ken Wachtler <kwachtler_at_midwave.com>
Date: Tue May 06 2003 - 09:00:19 EDT
Thanks to all those that replied. Great ideas and opinions !
Ken Wachtler
kwachtler@midwave.com

POST:
I am using VNC to provide an X-display for a headless Oracle application
server.
Oracle communicates with VNC using X commands and does not need VNC commands.
To attempt to close the doors of unused interfaces, the window mgr and xterm
lines have been commented in $HOME/.vnc/xstartup. This results in VNC client
connections getting a "blank" screen.

REPLIES:
I use VNC for the same thing for Oracle apps on my servers. One comment- since
nobody needs access to the VNC via http you can comment the following line out
of /usr/local/bin/vncserver script:
# $cmd .= " -httpd $vncClasses";
and restart the VNC.
+
Another option to VNC would use a virtual frame buffer - Xvfb
+
I tend to dislike VNC due to its poor network performance (its a real
bandwidth hog). So, I would suggest using Xvfb for this instead. Its the
"X Virtual Frame Buffer Server", it basically just sets up a dummy X
server. Sounds like it would be perfect for your application. I've used
it for things like this in the past. It may not be installed, I think
its part of XFree86, but you should be able to build it easily.
+
I remember seeing ssh information to encrypt the connection (on the VNC
website).  Check this out: http://www.uk.research.att.com/vnc/sshvnc.html
I think you can also use this in conjunction with IPFilter to block unwanted
connections to the VNC ports.
Furthermore, on the SSH and inetd side, you can toy with the allow and deny
hosts/users lines to lockdown unwanted connections.
Of course, if you're worried about Local users, that's a different problem ;)
+
On the NT version of the software, there is a parameter for VNC to
listen/not listen for client requests. If there is no way to change the
default on Sun, it should be fairly simple to change the source code.
+
I've used Xvfb in the past, it also works well for headless display.
I assume you're using the Java 2D stuff? Java 1.4 can run AWT in
"headless" mode now, which eliminates the need for a framebuffer ( like
Xvfb or VNC ). If you are using 1.4.0 or above, try adding this as
a parameter to java : -Djava.awt.headless=true
So you're just running an X root window? That should be fine, can't
really get any leaner than that without using Java's headless mode.
Do check out Java's headless mode I mentioned if you haven't though,
you can get more info on it by using the search bar on
http://java.sun.com
END
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue May 6 09:00:15 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:10 EST