[Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server

[Daniel Berrange]

Note that any use of the built-in VNC-auth scheme is always considered a
security flaw. It should essentially never be used, especially not on
any public internet facing service, even if fail2ban were able to be
used.

A secure VNC server should use the VeNCrypt extension which enables TLS,
with optional client certificate validation as an auth mechanism.  Once
you have TLS enabled, you can also then enable the SASL auth mechanism
to further authenticate clients using Kerberos or PAM, or other SASL
plugins.

That's not to say we shouldn't emit a log message, suitable for
consuming from fail2ban, as remote clients can still trigger a CPU
denial of service by repeatedly connecting even if they ultimately
always fail authentication.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  New

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or 
other registered events about authentication failures to analyze and/or 
integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in 
combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions