[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth faile
From: |
Daniel Berrange |
Subject: |
[Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server |
Date: |
Wed, 08 May 2019 13:08:55 -0000 |
Note that any use of the built-in VNC-auth scheme is always considered a
security flaw. It should essentially never be used, especially not on
any public internet facing service, even if fail2ban were able to be
used.
A secure VNC server should use the VeNCrypt extension which enables TLS,
with optional client certificate validation as an auth mechanism. Once
you have TLS enabled, you can also then enable the SASL auth mechanism
to further authenticate clients using Kerberos or PAM, or other SASL
plugins.
That's not to say we shouldn't emit a log message, suitable for
consuming from fail2ban, as remote clients can still trigger a CPU
denial of service by repeatedly connecting even if they ultimately
always fail authentication.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207
Title:
Request to add something like "Auth failed from IP" log report for
built-in VNC server
Status in QEMU:
New
Bug description:
In environment with needs of public accessible VNC ports there is no logs or
other registered events about authentication failures to analyze and/or
integrate it to automated services like fail2ban ans so on.
Thus the built-in VNC service is vulnerable to brutforce attacks and in
combination with weak built-in VNC-auth scheme can be a security vulnerability.
Adding a simple log record like "QEMU VNC Authentication failed
192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
it to fail2ban system.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions