RealVNC Server

Comodo Internet Security - CIS Firewall Help - CIS
#1

I’ve installed RealVNC Server on my desctop PC, Mocha VNC - on smartphone. Please help to configure CIS correctly. Now I can connect to my desctop PC only when I disable Firewall. What are the right rules for RealVNC?

#2

Normally VNC Server needs to have TCP 5900 open from the Internet to the PC.

To create a rule to allow this do the following, open Firewall → Advanced → Network Policy, switch to Global Rules.

Add a new rule

Allow
TCP
IN
Source = any
Source port = any
Destination = any
Destination port = 5900

Now apply this rule and you should be able to connect to the PC.
But make sure you use strong enough authentication for VNC Server and the latest version of the software because now “Everybody” on the internet can connect to your VNC Server, if they can control your system depends on how strong your authentication method(s) are and if your running the latest version.

If your Smartphone is in a specific IP range of your provider you can also chose to use this range on the Source rule to at least restrict to your Providers IP Space.

#3

vnc different flavors use by default ports 5900 (http connexion) and 5800 (java connexion).

ports 590n and 580n, where n is 1,2… might also be used fot NAT redirection inside a particular local network.

port 5900 (and, to a lesser extent 5800) are well known by malware robots, and advocating in these conditions a global TCP iN allow rule on port 5900 is criminal, even if vnc allows weak passwords.

Either you write this rule only for the ip adress or mac adress of the only device you are using and make if you use it through internet not a allow, but a ask rule for some ip or another, either you use whatever free high port instead of 5900 as default (e.g. 55000 or 59000).

#4

“criminal” is a bit harsh, but I understand what you’re saying.

Creating a tighter inbound rule specifying the IP address won’t always work, as in the case of a dynamically assigned IP. MAC address rules would be better. Host name based rules would be next best, but DDNS could affect this as well.

Similarly, changing the default ports used for popular programs (like VNC) should be the first thing done after installation. This is an absolute, hard and fast rule at my workplace. Why give “them” a head start??

Cheers,
Ewen :slight_smile: