Allow Connections to VNC Server Only From Specific IP Addresses
You could use ufw - the "uncomplicated firewall" that comes with a standard ubuntu install.
sudo ufw allow 22/tcp
sudo ufw allow 5901/tcp from 12.34.56.78
sudo ufw default reject incoming
sudo ufw enable
Which is:
- allow ssh connections (otherwise you will lock yourself out)
- allow VNC connections from one IP address (edit the port if you don't use 5901)
- reject all other incoming connections
- enable the firewall
Make sure you allow ssh before enabling the firewall, otherwise you'll be locked out.
Related videos on Youtube
Brandon
Updated on September 18, 2022Comments
-
Brandon almost 2 years
I administrate an Ubuntu 11.10 Server. I've installed tightvncserver on it so I can have a desktop environment on the server.
My issue now is, I'm running into issues with malicious people spamming the VNC server with authentication attempts. I've strengthened up the password, but it's still inconvenient as it restricts me from connecting as the person is using up all the authentication attempts.
There are pretty much around 5 IP addresses that should be able to ATTEMPT to authenticate to the VNC server, this person is using proxies from Romania, China, Korea, etc.
How can I accept authentication attempts to ONLY the IP addresses I specify?
Essentially, I want to do the opposite of this: How to deny VNC access to a particular IP?
And this with VNC instead: How can I allow SSH password authentication from only certain IP addresses?
Any ideas?
Thanks, Brandon
-
jippie about 12 yearsConfiguring iptables is an option, but so might configuring the VNC server be. Does tight allow configuring a client whitelist?
-
Brandon about 12 yearsAs a temporary solution, I've just been manually blocking the proxies using iptables as there's only been a few so far. Considering the person is bothering to actually keep trying means they wont be going away easily.
-
-
Noah Buscher almost 10 yearsI found that line two of your solution didn't work, though
sudo ufw allow from 12.34.56.78 to any port 5901
seemed to do the trick. This allows any protocols, though that can be changed for just TCP.