How secure are VNC consoles for KVM?

naing

The standard VNC authentication is weak - it has a maximum length of 8 characters password, and other design flaws.

How secure is it to leave the KVM console exposed via VNC in the wild in practice? Do providers have other security measurements for it, for example fail2ban, or nobody is really brute-forcing the VNC console password?

perennate

I believe providers typically offer one (or more often both) of two ways to connect to VNC consoles, neither of which involve leaving the VNC port exposed at all times:

1) The VNC console runs as a web app in the client's web browser (usually noVNC), and VNC traffic is tunneled over a WSS (secure websocket) connection. The connection is authenticated with cookies and the client must already be logged into the control panel. The server forwards the traffic over to the internal network.

2) The client presses a button in the web app to expose the VNC port (via a TCP or VNC tunnel) for a brief period of time, e.g. 10 minutes. After the time elapses, new connections are no longer accepted.

In both cases, the qemu-kvm process listens only on loopback or the internal network. A separate application tunnels traffic to the process.

There are tons of people brute forcing all IPs for open VNC ports, so I can't imagine that there isn't anyone trying at least a few common passwords. But 8 characters with letters+numbers is 36^8 combinations, which would take 89 years to brute force at 1000 attempts per second.

reikuzan

Whenever i put vnc in my box, i always setup port knocker in it to have some "protection" in it even with --blacklisttimeout 0, its almost never has any problem with me, yet

https://en.m.wikipedia.org/wiki/Port_knocking