Mailing List Archive

Blacklisted IP address
Does anyone know how to unblacklist an IP address that is being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
I could be wrong about this but restarting the vnc service will reset
all temporary blacklists (usually bad password).

If the IP address is permanently blocked then you need to change the
access control filters in vnc's configuration. See here for windows
info about this:
http://www.realvnc.com/products/free/4.1/winvnc.html#Connections

Good Luck,
Angelo

On 5/31/05, Lee <ooglala@gmail.com> wrote:
> Does anyone know how to unblacklist an IP address that is being blocked.
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Lee:

Heya. Blacklisting only happens if a client tries
and fails to connect repeatedly -- it seems to be about
5 times in a 10 second interval (empirical data, here;
I'm not actually sure what the "interval" for failures
is). Once blacklisting is triggered, it takes the
"BlacklistTimeout" number of seconds until the server will
again accept connections from that IP address.

To effectively disable this feature, you can set
the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
But...your email suggests that an IP address is being
"blocked", so maybe it's really an AuthHosts problem, not
a blacklisting one?

Along these lines...I'm not sure I see the point
of blacklisting the loopback interface. That's like making
sure the front door is securely locked after the bad guys
are already in the house. :)

-Scott

> Does anyone know how to unblacklist an IP address that is
> being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Scott & Lee,

Blacklisting prevents individual hosts from being used to dictionary attack
a VNC Server. It's a security feature and disabling it is A Bad Thing.

Regards,

Wez @ RealVNC Ltd.


> -----Original Message-----
> From: vnc-list-admin@realvnc.com
> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> Sent: 01 June 2005 17:33
> To: vnc-list@realvnc.com
> Cc: ooglala@gmail.com
> Subject: Re: Blacklisted IP address
>
> Lee:
>
> Heya. Blacklisting only happens if a client tries
> and fails to connect repeatedly -- it seems to be about
> 5 times in a 10 second interval (empirical data, here;
> I'm not actually sure what the "interval" for failures
> is). Once blacklisting is triggered, it takes the
> "BlacklistTimeout" number of seconds until the server will
> again accept connections from that IP address.
>
> To effectively disable this feature, you can set
> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
> But...your email suggests that an IP address is being
> "blocked", so maybe it's really an AuthHosts problem, not
> a blacklisting one?
>
> Along these lines...I'm not sure I see the point
> of blacklisting the loopback interface. That's like making
> sure the front door is securely locked after the bad guys
> are already in the house. :)
>
> -Scott
>
> > Does anyone know how to unblacklist an IP address that is
> > being blocked.
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Wez:

I agree it *slows down* a dictionary attack, but it cannot
prevent one. I also agree it's a good idea, but not a "free" one: by
adding Blacklisting, you've of course created a denial-of-service
vulnerability (e.g., an applet that did nothing but repeatedly open
and close TCP sockets to 127.0.0.1:5900 would prevent legitimate,
SSH-tunneled VNC connections).

cheers,
Scott

On Wed, 1 Jun 2005, James Weatherall wrote:

> Scott & Lee,
>
> Blacklisting prevents individual hosts from being used to dictionary attack
> a VNC Server. It's a security feature and disabling it is A Bad Thing.
>
> Regards,
>
> Wez @ RealVNC Ltd.
>
>
>> -----Original Message-----
>> From: vnc-list-admin@realvnc.com
>> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
>> Sent: 01 June 2005 17:33
>> To: vnc-list@realvnc.com
>> Cc: ooglala@gmail.com
>> Subject: Re: Blacklisted IP address
>>
>> Lee:
>>
>> Heya. Blacklisting only happens if a client tries
>> and fails to connect repeatedly -- it seems to be about
>> 5 times in a 10 second interval (empirical data, here;
>> I'm not actually sure what the "interval" for failures
>> is). Once blacklisting is triggered, it takes the
>> "BlacklistTimeout" number of seconds until the server will
>> again accept connections from that IP address.
>>
>> To effectively disable this feature, you can set
>> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
>> But...your email suggests that an IP address is being
>> "blocked", so maybe it's really an AuthHosts problem, not
>> a blacklisting one?
>>
>> Along these lines...I'm not sure I see the point
>> of blacklisting the loopback interface. That's like making
>> sure the front door is securely locked after the bad guys
>> are already in the house. :)
>>
>> -Scott
>>
>>> Does anyone know how to unblacklist an IP address that is
>>> being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hello all,
Thank you.
How would I disable blacklisting if I decided this was a good option for me?
Thanks for all your help,
Lee

On 6/1/05, Scott C. Best <sbest@best.com> wrote:
>
> Wez:
>
> I agree it *slows down* a dictionary attack, but it cannot
> prevent one. I also agree it's a good idea, but not a "free" one: by
> adding Blacklisting, you've of course created a denial-of-service
> vulnerability (e.g., an applet that did nothing but repeatedly open
> and close TCP sockets to 127.0.0.1:5900 <http://127.0.0.1:5900> would
> prevent legitimate,
> SSH-tunneled VNC connections).
>
> cheers,
> Scott
>
> On Wed, 1 Jun 2005, James Weatherall wrote:
>
> > Scott & Lee,
> >
> > Blacklisting prevents individual hosts from being used to dictionary
> attack
> > a VNC Server. It's a security feature and disabling it is A Bad Thing.
> >
> > Regards,
> >
> > Wez @ RealVNC Ltd.
> >
> >
> >> -----Original Message-----
> >> From: vnc-list-admin@realvnc.com
> >> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> >> Sent: 01 June 2005 17:33
> >> To: vnc-list@realvnc.com
> >> Cc: ooglala@gmail.com
> >> Subject: Re: Blacklisted IP address
> >>
> >> Lee:
> >>
> >> Heya. Blacklisting only happens if a client tries
> >> and fails to connect repeatedly -- it seems to be about
> >> 5 times in a 10 second interval (empirical data, here;
> >> I'm not actually sure what the "interval" for failures
> >> is). Once blacklisting is triggered, it takes the
> >> "BlacklistTimeout" number of seconds until the server will
> >> again accept connections from that IP address.
> >>
> >> To effectively disable this feature, you can set
> >> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
> >> But...your email suggests that an IP address is being
> >> "blocked", so maybe it's really an AuthHosts problem, not
> >> a blacklisting one?
> >>
> >> Along these lines...I'm not sure I see the point
> >> of blacklisting the loopback interface. That's like making
> >> sure the front door is securely locked after the bad guys
> >> are already in the house. :)
> >>
> >> -Scott
> >>
> >>> Does anyone know how to unblacklist an IP address that is
> >>> being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
How long does it usually take to unblacklist an IP address. I have waited 24
hrs and still giving me the same message "connection closed unexpectedly"
Thanks,
Lee

On 6/1/05, Lee <ooglala@gmail.com> wrote:
>
> Hello all,
> Thank you.
> How would I disable blacklisting if I decided this was a good option for
> me?
> Thanks for all your help,
> Lee
>
> On 6/1/05, Scott C. Best <sbest@best.com> wrote:
> >
> > Wez:
> >
> > I agree it *slows down* a dictionary attack, but it cannot
> > prevent one. I also agree it's a good idea, but not a "free" one: by
> > adding Blacklisting, you've of course created a denial-of-service
> > vulnerability (e.g., an applet that did nothing but repeatedly open
> > and close TCP sockets to 127.0.0.1:5900 <http://127.0.0.1:5900/> would
> > prevent legitimate,
> > SSH-tunneled VNC connections).
> >
> > cheers,
> > Scott
> >
> > On Wed, 1 Jun 2005, James Weatherall wrote:
> >
> > > Scott & Lee,
> > >
> > > Blacklisting prevents individual hosts from being used to dictionary
> > attack
> > > a VNC Server. It's a security feature and disabling it is A Bad Thing.
> > >
> > > Regards,
> > >
> > > Wez @ RealVNC Ltd.
> > >
> > >
> > >> -----Original Message-----
> > >> From: vnc-list-admin@realvnc.com
> > >> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> > >> Sent: 01 June 2005 17:33
> > >> To: vnc-list@realvnc.com
> > >> Cc: ooglala@gmail.com
> > >> Subject: Re: Blacklisted IP address
> > >>
> > >> Lee:
> > >>
> > >> Heya. Blacklisting only happens if a client tries
> > >> and fails to connect repeatedly -- it seems to be about
> > >> 5 times in a 10 second interval (empirical data, here;
> > >> I'm not actually sure what the "interval" for failures
> > >> is). Once blacklisting is triggered, it takes the
> > >> "BlacklistTimeout" number of seconds until the server will
> > >> again accept connections from that IP address.
> > >>
> > >> To effectively disable this feature, you can set
> > >> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
> > >> But...your email suggests that an IP address is being
> > >> "blocked", so maybe it's really an AuthHosts problem, not
> > >> a blacklisting one?
> > >>
> > >> Along these lines...I'm not sure I see the point
> > >> of blacklisting the loopback interface. That's like making
> > >> sure the front door is securely locked after the bad guys
> > >> are already in the house. :)
> > >>
> > >> -Scott
> > >>
> > >>> Does anyone know how to unblacklist an IP address that is
> > >>> being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi All,
I have restarted the system and I still get the blacklisted event in the
event viewer and still no connection.
Any other suggestions?
Lee

On 6/1/05, Lee <ooglala@gmail.com> wrote:
>
> How long does it usually take to unblacklist an IP address. I have waited
> 24 hrs and still giving me the same message "connection closed
unexpectedly"
> Thanks,
> Lee
>
> On 6/1/05, Lee <ooglala@gmail.com> wrote:
> >
> > Hello all,
> > Thank you.
> > How would I disable blacklisting if I decided this was a good option for
> > me?
> > Thanks for all your help,
> > Lee
> >
> > On 6/1/05, Scott C. Best <sbest@best.com> wrote:
> > >
> > > Wez:
> > >
> > > I agree it *slows down* a dictionary attack, but it cannot
> > > prevent one. I also agree it's a good idea, but not a "free" one: by
> > > adding Blacklisting, you've of course created a denial-of-service
> > > vulnerability (e.g., an applet that did nothing but repeatedly open
> > > and close TCP sockets to 127.0.0.1:5900 <http://127.0.0.1:5900/> would
> > > prevent legitimate,
> > > SSH-tunneled VNC connections).
> > >
> > > cheers,
> > > Scott
> > >
> > > On Wed, 1 Jun 2005, James Weatherall wrote:
> > >
> > > > Scott & Lee,
> > > >
> > > > Blacklisting prevents individual hosts from being used to dictionary
> > > attack
> > > > a VNC Server. It's a security feature and disabling it is A Bad
> > > Thing.
> > > >
> > > > Regards,
> > > >
> > > > Wez @ RealVNC Ltd.
> > > >
> > > >
> > > >> -----Original Message-----
> > > >> From: vnc-list-admin@realvnc.com
> > > >> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> > > >> Sent: 01 June 2005 17:33
> > > >> To: vnc-list@realvnc.com
> > > >> Cc: ooglala@gmail.com
> > > >> Subject: Re: Blacklisted IP address
> > > >>
> > > >> Lee:
> > > >>
> > > >> Heya. Blacklisting only happens if a client tries
> > > >> and fails to connect repeatedly -- it seems to be about
> > > >> 5 times in a 10 second interval (empirical data, here;
> > > >> I'm not actually sure what the "interval" for failures
> > > >> is). Once blacklisting is triggered, it takes the
> > > >> "BlacklistTimeout" number of seconds until the server will
> > > >> again accept connections from that IP address.
> > > >>
> > > >> To effectively disable this feature, you can set
> > > >> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
> > > >> But...your email suggests that an IP address is being
> > > >> "blocked", so maybe it's really an AuthHosts problem, not
> > > >> a blacklisting one?
> > > >>
> > > >> Along these lines...I'm not sure I see the point
> > > >> of blacklisting the loopback interface. That's like making
> > > >> sure the front door is securely locked after the bad guys
> > > >> are already in the house. :)
> > > >>
> > > >> -Scott
> > > >>
> > > >>> Does anyone know how to unblacklist an IP address that is
> > > >>> being blocked.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Lee:

Heya. What you're describing doesn't sound like a
blacklist problem -- a blacklisted IP address should become
non-blacklisted after only a few seconds, definitely not
minutes or hours.
So...why exactly do you think it's a blacklist
issue? To ask another way: can you connect to the target
VNC Server from *anything*, or are all connections to it
(from multiple VNC Viewer Pc's) not working?

-Scott

> Hi All,
> I have restarted the system and I still get the blacklisted event in the
> event viewer and still no connection.
> Any other suggestions?
> Lee
>
> On 6/1/05, Lee <ooglala@gmail.com> wrote:
>>
>> How long does it usually take to unblacklist an IP address. I have waited
>> 24 hrs and still giving me the same message "connection closed unexpectedly"
>> Thanks,
>> Lee
<snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi Scott,
When I try to connect from the viewer computer it gives the error
"connection disconnected unexpectedly", so it is connecting,but not keeping
the connection. When I check the Windows XP event viewer under application
on my host computer it reads Connections: the IP address of the server
computer and the term blacklisted. I can connect to the host computer from
other computers(my wifes work computer). What else can be happening to block
this one computer. As far as I can tell I have opened up the correct ports
on Norton and it should be a go. What does it sound like to you?
Thanks,
Lee
On 6/1/05, Scott C. Best <sbest@best.com> wrote:
>
> Lee:
>
> Heya. What you're describing doesn't sound like a
> blacklist problem -- a blacklisted IP address should become
> non-blacklisted after only a few seconds, definitely not
> minutes or hours.
> So...why exactly do you think it's a blacklist
> issue? To ask another way: can you connect to the target
> VNC Server from *anything*, or are all connections to it
> (from multiple VNC Viewer Pc's) not working?
>
> -Scott
>
> > Hi All,
> > I have restarted the system and I still get the blacklisted event in the
> > event viewer and still no connection.
> > Any other suggestions?
> > Lee
> >
> > On 6/1/05, Lee <ooglala@gmail.com> wrote:
> >>
> >> How long does it usually take to unblacklist an IP address. I have
> waited
> >> 24 hrs and still giving me the same message "connection closed
> unexpectedly"
> >> Thanks,
> >> Lee
> <snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Lee,

You will see the message "Too many security failures" if a host has been
blacklisted, rather than "Connection closed unexpectedly". Blacklisting
will only last for 24 hours if, during that time, something on the
blacklisted machine is repeatedly trying to re-connect to the server.

Are you sure you haven't accidentally entered an incorrect Access Control
entry that is causing the connection to be dropped?

Regards,

Wez @ RealVNC Ltd.


> -----Original Message-----
> From: vnc-list-admin@realvnc.com
> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Lee
> Sent: 02 June 2005 01:33
> To: Scott C. Best
> Cc: James Weatherall; vnc-list@realvnc.com
> Subject: Re: Blacklisted IP address
>
> How long does it usually take to unblacklist an IP address. I
> have waited 24
> hrs and still giving me the same message "connection closed
> unexpectedly"
> Thanks,
> Lee
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Scott,

The blacklisting algorithm uses exponential back-off, so it really *does*
prevent dictionary attacks from being viable.

As regards the possibility of DoS attacks - yes, they are possible but the
DoS attack you describe prevents anyone on the attacking host from accessing
it, while a dictionary attack would actually grant the attacker access to
that server, which is clearly worse!

Regards,

Wez @ RealVNC Ltd.


> -----Original Message-----
> From: vnc-list-admin@realvnc.com
> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> Sent: 01 June 2005 19:42
> To: James Weatherall
> Cc: vnc-list@realvnc.com; ooglala@gmail.com
> Subject: RE: Blacklisted IP address
>
> Wez:
>
> I agree it *slows down* a dictionary attack, but it cannot
> prevent one. I also agree it's a good idea, but not a "free" one: by
> adding Blacklisting, you've of course created a denial-of-service
> vulnerability (e.g., an applet that did nothing but repeatedly open
> and close TCP sockets to 127.0.0.1:5900 would prevent legitimate,
> SSH-tunneled VNC connections).
>
> cheers,
> Scott
>
> On Wed, 1 Jun 2005, James Weatherall wrote:
>
> > Scott & Lee,
> >
> > Blacklisting prevents individual hosts from being used to
> dictionary attack
> > a VNC Server. It's a security feature and disabling it is
> A Bad Thing.
> >
> > Regards,
> >
> > Wez @ RealVNC Ltd.
> >
> >
> >> -----Original Message-----
> >> From: vnc-list-admin@realvnc.com
> >> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> >> Sent: 01 June 2005 17:33
> >> To: vnc-list@realvnc.com
> >> Cc: ooglala@gmail.com
> >> Subject: Re: Blacklisted IP address
> >>
> >> Lee:
> >>
> >> Heya. Blacklisting only happens if a client tries
> >> and fails to connect repeatedly -- it seems to be about
> >> 5 times in a 10 second interval (empirical data, here;
> >> I'm not actually sure what the "interval" for failures
> >> is). Once blacklisting is triggered, it takes the
> >> "BlacklistTimeout" number of seconds until the server will
> >> again accept connections from that IP address.
> >>
> >> To effectively disable this feature, you can set
> >> the "BlacklistTimeout" registry key in ../WinVNC4 to "0".
> >> But...your email suggests that an IP address is being
> >> "blocked", so maybe it's really an AuthHosts problem, not
> >> a blacklisting one?
> >>
> >> Along these lines...I'm not sure I see the point
> >> of blacklisting the loopback interface. That's like making
> >> sure the front door is securely locked after the bad guys
> >> are already in the house. :)
> >>
> >> -Scott
> >>
> >>> Does anyone know how to unblacklist an IP address that is
> >>> being blocked.
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Slightly off-topic: TightVNC, and Blacklisting IPs when fails to connect repeatedly?

Does TightVNC have this security feature?

Our small business uses TVNC over WinVNC4 since we need frequently need simple File tranfer functionality, maybe this is old outdated news too?

Does TightVNC have any protection from repeated DOS attacks to looped PW quess attemts? We have already initiated the standard use of a different ports from the defaults of 5900 and 5800.
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Lee:

Wow, that is a weird one. Please try this: open a command
window on your VNC Viewer PC (Start -> Run -> "cmd"), and type
"netstat -an". Check to see if anything is running with a connection
to your target VNC Server's TCP port 5900.

To disable blacklisting on your VNC Server, do this:

1. Start -> Run -> "regedit"
2. Add a new registry string value here:

HKEY_CURRENT_USER\Software\RealVNC\WinVNC4 (for user-mode)
HKEY_LOCAL_MACHINE\Software\RealVNC\WinVNC4 (for service-mode)

3. Name the new registry string "BlacklistTimeout".
4. Set the value to "0".

From what you describe...it sounds like something on
your VNC Viewer PC is periodically connecting to your VNC Server
PC's TCP 5900, causing the blacklist time period to extend
indefinitely. The above "netstat" command should help you to
detect if that's the case; you'll need to run a "process to
port" mapper to actually discover the software application that's
doing it though:

http://www.foundstone.com/knowledge/proddesc/fport.html

Hope that helps!

-Scott

On Wed, 1 Jun 2005, Lee wrote:

> Hi Scott,
> When I try to connect from the viewer computer it gives the error
> "connection disconnected unexpectedly", so it is connecting,but not keeping
> the connection. When I check the Windows XP event viewer under application
> on my host computer it reads Connections: the IP address of the server
> computer and the term blacklisted. I can connect to the host computer from
> other computers(my wifes work computer). What else can be happening to block
> this one computer. As far as I can tell I have opened up the correct ports
> on Norton and it should be a go. What does it sound like to you?
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Wez:
I agree that exponential back-off for failed authentication
attempts is a good way to prevent dictionary attacks from being
viable. Here's my concern: your software's blacklisting isn't
actually "tripped" by failed authentication attempts -- it's tripped
by *any connection at all*. That's not the best solution, IMO,
for two reasons:

1. It makes things tricker for (ahem) ISV's who write 3rd
party tools that, say, auto-detect VNC Servers on a LAN.
Of course, I understand that making their lives easier is
pretty low on your list of concerns, but it's worth a
mention.

2. It overly exposes VNC to DoS attacks. With nmap running on
a PC with access to raw sockets, I could:

% nmap -sT -p 5900 my.lan.ip.address/24 -S ip.address.to.block
% <repeat once a minute>

This will transmit spoofed packets to all RealVNC servers on
the LAN, effectively blacklisting any IP address I choose.

I'm hopeful for those 2 reasons, you'll at least consider
modifying the blacklist "trip" mechanism in your future releases,
so that it activates *after* multiple password attempts have
actually failed. That's much more resilient to spoofed connections,
as it actually requires a real protocol exchange.

cheers,
Scott

> The blacklisting algorithm uses exponential back-off, so it really *does*
> prevent dictionary attacks from being viable.
>
> As regards the possibility of DoS attacks - yes, they are possible but the
> DoS attack you describe prevents anyone on the attacking host from accessing
> it, while a dictionary attack would actually grant the attacker access to
> that server, which is clearly worse!
<snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi All,
Still no connection from my work computer to my host home computer. Am I
missing some setting on my host computer that could be blocking this
specific ip address. Or would the problem more likely be on the viewer
computer?
Thanks,
Lee

On 6/2/05, Scott C. Best <sbest@best.com> wrote:
>
> Wez:
> I agree that exponential back-off for failed authentication
> attempts is a good way to prevent dictionary attacks from being
> viable. Here's my concern: your software's blacklisting isn't
> actually "tripped" by failed authentication attempts -- it's tripped
> by *any connection at all*. That's not the best solution, IMO,
> for two reasons:
>
> 1. It makes things tricker for (ahem) ISV's who write 3rd
> party tools that, say, auto-detect VNC Servers on a LAN.
> Of course, I understand that making their lives easier is
> pretty low on your list of concerns, but it's worth a
> mention.
>
> 2. It overly exposes VNC to DoS attacks. With nmap running on
> a PC with access to raw sockets, I could:
>
> % nmap -sT -p 5900 my.lan.ip.address/24 -S ip.address.to.block
> % <repeat once a minute>
>
> This will transmit spoofed packets to all RealVNC servers on
> the LAN, effectively blacklisting any IP address I choose.
>
> I'm hopeful for those 2 reasons, you'll at least consider
> modifying the blacklist "trip" mechanism in your future releases,
> so that it activates *after* multiple password attempts have
> actually failed. That's much more resilient to spoofed connections,
> as it actually requires a real protocol exchange.
>
> cheers,
> Scott
>
> > The blacklisting algorithm uses exponential back-off, so it really
> *does*
> > prevent dictionary attacks from being viable.
> >
> > As regards the possibility of DoS attacks - yes, they are possible but
> the
> > DoS attack you describe prevents anyone on the attacking host from
> accessing
> > it, while a dictionary attack would actually grant the attacker access
> to
> > that server, which is clearly worse!
> <snip>
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Lee:

As an experiment, please try this: install one of the older
VNC servers on your host home computer:

http://www.realvnc.com/products/free/3.3.7/download.html

See if you can establish a connection to that VNC Server.
If that works...we'll know better how to peel this onion.

good luck,
Scott

On Wed, 8 Jun 2005, Lee wrote:

> Hi All,
> Still no connection from my work computer to my host home computer. Am I
> missing some setting on my host computer that could be blocking this
> specific ip address. Or would the problem more likely be on the viewer
> computer?
> Thanks,
> Lee
<snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Scott,

Really? How will that help?

Lee,

It sounds like you're got some problem with the Hosts/Access Control
setting, so that you've configured VNC Server to block connections from
certain/all IP addresses - it doesn't sound like blacklisting at all.

Regards,

Wez @ RealVNC Ltd.


> -----Original Message-----
> From: vnc-list-admin@realvnc.com
> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> Sent: 08 June 2005 22:25
> To: Lee
> Cc: vnc-list@realvnc.com
> Subject: Re: Blacklisted IP address
>
> Lee:
>
> As an experiment, please try this: install one of the older
> VNC servers on your host home computer:
>
> http://www.realvnc.com/products/free/3.3.7/download.html
>
> See if you can establish a connection to that VNC Server.
> If that works...we'll know better how to peel this onion.
>
> good luck,
> Scott
>
> On Wed, 8 Jun 2005, Lee wrote:
>
> > Hi All,
> > Still no connection from my work computer to my host home
> computer. Am I
> > missing some setting on my host computer that could be blocking this
> > specific ip address. Or would the problem more likely be on
> the viewer
> > computer?
> > Thanks,
> > Lee
> <snip>
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Wez:

Sorry for not being obvious: the 3.3.7 version does not
include the blacklisting feature. If he can successfully connect
to it, but not to 4.1.x, it narrows down what the problem is.
Also, 3.3.7 doesn't use the same registry keys, so if he has
the 4.1 version's incorrectly set somehow, it also won't affect
the 3.3.7 operation.

-Scott

On Thu, 9 Jun 2005, James Weatherall wrote:

> Scott,
>
> Really? How will that help?
>
> Lee,
>
> It sounds like you're got some problem with the Hosts/Access Control
> setting, so that you've configured VNC Server to block connections from
> certain/all IP addresses - it doesn't sound like blacklisting at all.
>
> Regards,
>
> Wez @ RealVNC Ltd.
<snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi Scott,
I will give it a try. Do I have to install the older viewer also?
Thanks,
Lee

On 6/8/05, Scott C. Best <sbest@best.com> wrote:
>
> Lee:
>
> As an experiment, please try this: install one of the older
> VNC servers on your host home computer:
>
> http://www.realvnc.com/products/free/3.3.7/download.html
>
> See if you can establish a connection to that VNC Server.
> If that works...we'll know better how to peel this onion.
>
> good luck,
> Scott
>
> On Wed, 8 Jun 2005, Lee wrote:
>
> > Hi All,
> > Still no connection from my work computer to my host home computer. Am I
> > missing some setting on my host computer that could be blocking this
> > specific ip address. Or would the problem more likely be on the viewer
> > computer?
> > Thanks,
> > Lee
> <snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Lee:

I'm pretty sure the newer viewers are fully compatible
with the older versions, so there should be no troubles there.
Good luck!

-Scott

On Wed, 8 Jun 2005, Lee wrote:

> Hi Scott,
> I will give it a try. Do I have to install the older viewer also?
> Thanks,
> Lee
>
> On 6/8/05, Scott C. Best <sbest@best.com> wrote:
>>
>> Lee:
>>
>> As an experiment, please try this: install one of the older
>> VNC servers on your host home computer:
>>
>> http://www.realvnc.com/products/free/3.3.7/download.html
>>
>> See if you can establish a connection to that VNC Server.
>> If that works...we'll know better how to peel this onion.
>>
>> good luck,
>> Scott
<snip
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi Scott,
I tried it and still no luck.
Lee

On 6/8/05, Scott C. Best <sbest@best.com> wrote:
>
> Lee:
>
> I'm pretty sure the newer viewers are fully compatible
> with the older versions, so there should be no troubles there.
> Good luck!
>
> -Scott
>
> On Wed, 8 Jun 2005, Lee wrote:
>
> > Hi Scott,
> > I will give it a try. Do I have to install the older viewer also?
> > Thanks,
> > Lee
> >
> > On 6/8/05, Scott C. Best <sbest@best.com> wrote:
> >>
> >> Lee:
> >>
> >> As an experiment, please try this: install one of the older
> >> VNC servers on your host home computer:
> >>
> >> http://www.realvnc.com/products/free/3.3.7/download.html
> >>
> >> See if you can establish a connection to that VNC Server.
> >> If that works...we'll know better how to peel this onion.
> >>
> >> good luck,
> >> Scott
> <snip
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
I haven't blocked any IP address on purpose. How would I unblock them if I
had?
Lee

On 6/8/05, Scott C. Best <sbest@best.com> wrote:
>
> Wez:
>
> Sorry for not being obvious: the 3.3.7 version does not
> include the blacklisting feature. If he can successfully connect
> to it, but not to 4.1.x, it narrows down what the problem is.
> Also, 3.3.7 doesn't use the same registry keys, so if he has
> the 4.1 version's incorrectly set somehow, it also won't affect
> the 3.3.7 operation.
>
> -Scott
>
> On Thu, 9 Jun 2005, James Weatherall wrote:
>
> > Scott,
> >
> > Really? How will that help?
> >
> > Lee,
> >
> > It sounds like you're got some problem with the Hosts/Access Control
> > setting, so that you've configured VNC Server to block connections from
> > certain/all IP addresses - it doesn't sound like blacklisting at all.
> >
> > Regards,
> >
> > Wez @ RealVNC Ltd.
> <snip>
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
Re: Blacklisted IP address [ In reply to ]
Hi James,
I only have the + in the access control area.
Lee

On 6/2/05, James Weatherall <jnw@realvnc.com> wrote:
>
> Lee,
>
> You will see the message "Too many security failures" if a host has been
> blacklisted, rather than "Connection closed unexpectedly". Blacklisting
> will only last for 24 hours if, during that time, something on the
> blacklisted machine is repeatedly trying to re-connect to the server.
>
> Are you sure you haven't accidentally entered an incorrect Access Control
> entry that is causing the connection to be dropped?
>
> Regards,
>
> Wez @ RealVNC Ltd.
>
>
> > -----Original Message-----
> > From: vnc-list-admin@realvnc.com
> > [mailto:vnc-list-admin@realvnc.com] On Behalf Of Lee
> > Sent: 02 June 2005 01:33
> > To: Scott C. Best
> > Cc: James Weatherall; vnc-list@realvnc.com
> > Subject: Re: Blacklisted IP address
> >
> > How long does it usually take to unblacklist an IP address. I
> > have waited 24
> > hrs and still giving me the same message "connection closed
> > unexpectedly"
> > Thanks,
> > Lee
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
RE: Blacklisted IP address [ In reply to ]
Scott,

I'm afraid you are mistaken - VNC 3.3.7 *does* include blacklisting.

Regards,

Wez @ RealVNC Ltd.


> -----Original Message-----
> From: vnc-list-admin@realvnc.com
> [mailto:vnc-list-admin@realvnc.com] On Behalf Of Scott C. Best
> Sent: 09 June 2005 00:49
> To: James Weatherall
> Cc: 'Lee'; vnc-list@realvnc.com
> Subject: RE: Blacklisted IP address
>
> Wez:
>
> Sorry for not being obvious: the 3.3.7 version does not
> include the blacklisting feature. If he can successfully connect
> to it, but not to 4.1.x, it narrows down what the problem is.
> Also, 3.3.7 doesn't use the same registry keys, so if he has
> the 4.1 version's incorrectly set somehow, it also won't affect
> the 3.3.7 operation.
>
> -Scott
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list

1 2  View All