Ask Your Question
1

RDO: how to disable remote vnc?

asked 2013-09-16 12:45:07 -0500

holms gravatar image

updated 2014-01-22 15:12:28 -0500

Evgeny gravatar image

I don't know if this is considered safe, but when I entered ip of my server and screen :0 to vncviewer, I could connect to vnc remotely. This is good feature, but I would really like to disable any remote vnc access, or at least put it under password.

I feel really uncomfortable that anybody can start vnc session to my private cloud without any credentials.

I have a one node setup, and as far as I remember, one guy from irc channel complained that if some of the port will be forbidden by iptables, whole openstack stops working, or something like this. So I afraid to experiment with iptables.

Asking for your advice what's better resolution for firewalling single-node RDO setup, at least VNC firewalling would be extremely nice.

edit retag flag offensive close delete

Comments

You can setup token authentication with nova-consoleauth http://docs.openstack.org/trunk/openstack-compute/install/yum/content/getting-started-with-vnc-proxy.html . But I don't think encrypted connections are possible yet. So I guess you just need to disable noVNC.

darragh-oreilly ( 2013-10-19 02:56:33 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2013-10-18 15:54:24 -0500

larsks gravatar image

In general:

Your local firewall should only permit external access to an explicit list of services. Moving your firewall to a default-deny configuration, in which you only expose services intentionally rather than by default, would solve this particular problem (and prevent other ones down the road).

You shouldn't be afraid to experiment with your iptables configuration. Just back it up first, and make sure that you have a mechanism to recover if you manage to block your own remote access.

WIth regards to Nova and VNC access:

The system running your web interface ("horizon") needs to be able to contact the VNC port on your compute nodes. If you have an all-in-one (single node) deployment, a simple solution is set both vncserver_listen and vncserver_proxyclient_address to 127.0.0.1. This causes the VNC ports to be bound to the loopback address, making them inaccessible to anyone not on the localhost.

You can also use iptables as your solution on your single-node system, although you will obviously need to open up ports to permit inbound access to the web interface (ports 80 and 443) and any API services you wish to expose.

If you have a simple multi-node deployment (with a single controller and one or more compute nodes), the only access you need to permit on your compute nodes is connections from the controller. You can otherwise have a very strict firewall that prohibits all other access.

edit flag offensive delete publish link more

Comments

maybe this at least can be password protected, usually you do set password if you opening vnc to your machine. I mean it's really not pleasant to connect to your openstack box, and send "ctrl+alt+delete" you know.. =/

holms ( 2013-10-26 00:17:27 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

Follow
1 follower

Stats

Asked: 2013-09-16 12:45:07 -0500

Seen: 198 times

Last updated: Oct 18 '13