back to article It's 2022 and there are still thousands of public systems using password-less VNC

Thousands of machines on the public internet can be remotely controlled via VNC without any authentication, a cybersecurity vendor has reminded us this month. These boxes, minus any that are honeypot devices, provide an easy, unhindered route into corporate networks, critical infrastructure, and other computer systems, for …

  1. karlkarl Silver badge

    We use passwordless VNC. Admittedly we only let it listen on 127.0.0.1 for SSH tunnelling.

    And to be fair, when we update our server, I am going to ideally try to get it to listen on a UNIX domain socket instead. More recent versions of OpenSSH allow encrypted tunnelling to UNIX socket endpoints.

    1. MyffyW Silver badge

      Ah yes, but have you war-gamed what will happen if a packet hits a pocket on the socket of a port?

      1. David 132 Silver badge
        Coat

        Yes. Lock it, fast as a rocket. It’s prudent, don’t knock it.

  2. SloppyJesse

    It's for research, guv

    "it witnessed miscreants and bots scanning the 'net for active services on the default VNC TCP port 5900, detecting about seven surges of such activity between July 9 and August 9"

    How many were security researchers also looking for exposed servers?

  3. John Smith 19 Gold badge
    FAIL

    My question is if they are so easy to find

    WTF is it so difficult to secure them?

    I suspect that this will continue to be a persistent issue until C Suite type are actually responsible for the consequences of a breach.

  4. train_wreck

    RATty like it’s 1999

  5. man_iii

    XRDP or VncOverSSH

    There are free implementation of RDP now on Linux servers. No need to have VNC exposed.

    And VNC is not designed for security! So securing it properly is an important house cleaning

  6. Sudosu

    I've seen things you people wouldn't believe

    Critical SCADA management systems connected directly to the internet

    Running on XP

    With VNC and no passwords

    All will be hacked, in time

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like