VNC uses a separate password system. It does not check passwords against /etc/passwd but rather against ~/.vnc/passwd, which contains a single primary password and optionally a secondary password that allows only viewing the screen.
To set your VNC password(s), use the "vncpasswd" command. VNC passwords must be between five and eight characters in length – characters beyond the eighth are silently ignored. So if you are using VNC over the Internet, pick a strong, random password, as attackers may use botnets that have numerous IP addresses to circumvent the lockout while cracking your password.
If you must use VNC over the Internet, run it on a randomly chosen port number (not 5900) to avoid detection in port scans that cover only the common ports. Preferably, tunnel your VNC connection over SSH to protect yourself against eavesdropping and man-in-the-middle attacks. If you do this, you should set vncserver to not accept connections from the Internet, disable password-only authentication on the SSH service and use public-key authentication to protect against common brute-force password cracking attempts.
Restarting vncserver should reset the lockout. The manual page does not mention any way to disable the (already inadequate?) lockout entirely.
沒有留言:
張貼留言