Developers Club geek daily blog

2 years, 10 months ago
The VNC installation of the server, and setup of its work over SSH
Yes, for some reason not all clients want to work in such convenient and black terminal, the panel completely does not satisfy their esthetic requirements, and in general — "where my such darling and convenient VNC?".
question of a habit and taste

In this article an example of installation and the VNC server setup and a graphic cover (GUI) on the example of OC Debian 8 jessie will be reviewed.

Input: pure Debian 8 and burning desire to receive the protected vnc-access to the server on an output is held.

Let's start

Let's update the list of available packets.
# apt-get update

If system svezheustanovlenny — it is worth being updated.
# apt-get -y upgrade

(!) it is thoughtless you should not start this command not on the svezheustanovlenny server, it is fraught with the broken dependences and perspective of work as a file.

We set Xfce and VNC server (fans of GNOME, KDE, LXDE, etc. set a cover to the taste).
# apt-get install xfce4 xfce4-goodies tightvncserver

We create the user from whom we will start vnc the server.
# adduser vnc

We set sudo (in Debian this packet is not set by default).
# apt-get install sudo

We add the user of vnc to sudo group.
# gpasswd -a vnc sudo

We pass under the user of vnc.
# su - vnc

We start vnc the server.
$ vncserver

If it is the first start of vnc of the server, the config the file will be created and some parameters are requested:
$ vncserver 

You will require a password to access your desktops.

Would you like to enter a view-only password (y/n)? n
xauth:  file /home/vnc/.Xauthority does not exist

New 'X' desktop is my.server:1

Creating default startup script /home/vnc/.vnc/xstartup

Starting applications specified in /home/vnc/.vnc/xstartup

Log file is /home/vnc/.vnc/my.server:1.log

by default the vnc port of the server will be 5901, the port of each following display will increase on 1 (5902,5903...).

To check whether the VNC server is started and on what port listens it is possible the following command.
$ netstat -nltp

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0  *               LISTEN      1054/Xtightvnc 

It is possible to kill the specific display so:
$ vncserver -kill :1
Killing Xtightvnc process ID 3246

:1 — what display it is necessary to kill.

Creation of a script of autostart of vnc of the server.

At first we will kill the started display:1 (if it is started).
$ vncserver -kill :1  

we create a start script
$ sudo nano /usr/local/bin/myvnc

We add the next lines to the file:

OPTIONS="-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY}"

case "$1" in
/usr/bin/vncserver ${OPTIONS}

/usr/bin/vncserver -kill :${DISPLAY}

$0 stop
$0 start
exit 0

if it is required — in a script it is possible to change depth of color or a display resolution.

We do the file performed.
$ sudo chmod +x /usr/local/bin/myvnc

use of the script created by us:

$ myvnc start             ###запустить vnc сервер
$ myvnc stop             ###остановить vnc сервер
$ myvnc restart         ###перезапустить vnc сервер

Now it is necessary to take care of that vnc configured by us started after the loading of the server (planned and not really).
For this purpose we create the file on the next way.
$ sudo nano /lib/systemd/system/myvnc.service

We add the following text to the file:

ExecStart=/usr/local/bin/myvnc start
ExecStop=/usr/local/bin/myvnc stop
ExecReload=/usr/local/bin/myvnc restart


[Unit] — we specify the description of a script (it is also possible to specify required dependences and an order of start when loading).
[Service] — we specify by what commands to start service, under what user, and service type.
[Install] — we specify at what level the script has to be started (runlevel 3 — a multiuser mode without graphics).

We include a unit in automatic loading at start of system.
$ sudo systemctl enable myvnc.service
Created symlink from /etc/systemd/system/ to /lib/systemd/system/myvnc.service.

We watch the status of the unit created by us.
$ sudo systemctl -l status myvnc.service
? myvnc.service - MyVnc
   Loaded: loaded (/lib/systemd/system/myvnc.service; enabled)
   Active: inactive (dead)

We pull systemd for search of the new or changed units.
$ sudo systemctl daemon-reload

Enciphering of a traffic

Naked VNC does not cipher a traffic, and you should not leave it in such type.
Besides, if on your IP there are bots China and will begin are knocked on ports even if the password is set really qualitative (consider that the password on vnc session is limited to 8 characters) and it will not crack, it will be difficult to get on the server by means of VNC, because of a permanent error on the number of incorrect attempts of authorization.

$ vncpasswd

Using password file/home/vnc/.vnc/passwd


Warning: password truncated to the length of 8.


Would you like to enter a view-only password (y/n)? n

The VNC installation of the server, and setup of its work over SSH

We start up VNC over SSH:

$ sudo nano /usr/local/bin/myvnc

We change a line:
OPTIONS="-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY}"


OPTIONS="-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY} -localhost"

Now for connection to the server at first it is necessary to create the tunnel.

Under * nix:

# ssh -L 5901:localhost:5901

Now connection by means of the client's vnc is possible, having specified localhost and port on which it listens to vnc-server instead of IP of a remote server.

# vncviewer localhost:5901

When using Windows and the agent's putty:

After start of putty we pass Connection-> SSH-> Tunnels.
In the field of Source Port we drive in port on which listens to the VNC server — 5901, in the field of Destination we enter — localhost:5901 and we press the Add button.
it has to turn out as on the picture.

The VNC installation of the server, and setup of its work over SSH

Now we return to the Session tab we enter IP servers and port 22 (right there it is possible and to save a connection configuration), we press Open.
The VNC installation of the server, and setup of its work over SSH

The VNC installation of the server, and setup of its work over SSH

paranoia does not happen it is necessary to accustom To care a little at once though now and it is impossible to get on our server by means of VNC from the outside (for a start it is necessary to log in on ssh and to create the tunnel), nevertheless it is worth thinking of additional safety of ssh of connections (you remember — the Chinese bots do not doze).

Let's set and will configure fail2ban.
By default protection against brute force for SSH is included that actually and is required to us.
when exceeding of the set number of unsuccessful password entries in a row (by default — 6) Bang IP from whom there were attempts of selection on preset time (by default — 600 seconds).

We set a packet from a repository.
$ sudo apt-get install fail2ban

The main file of settings interesting us is on the way / etc/fail2ban/jail.conf

The block of settings for connection on ssh:

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

ignoreip — IP addresses which should not be blocked. It is possible to set the list of the IP addresses separated by spaces a subnet mask, or the server name DNS.

bantime — Bang's time in seconds after which the IP address is removed from the list of blocked.

maxretry — the number of suspicious coincidence after which the rule is applied. In the context of ssh — this number of unfortunate attempts of login after which there is a blocking.

enabled — true value specifies that this jail is active, false switches off action of an insulator.

port — specifies on what port or ports target service is started. Standard port SSH of the server — 22, or its alphabetic name — ssh.

filter — a filter name with regular expressions on which there is a search of "suspicious coincidence" in logs of service. To the sshd filter there corresponds file/etc/fail2ban/filter.d/sshd.conf.

logpath — a way to the log file which the Fail2ban program will process by means of the filter set earlier. All history of successful and unsuccessful logins including on SSH, by default registers in log file/var/log/auth.log.

Default setup meets our requirements (6 incorrect attempts of authorization on shh and IP fly in Bang for 600 seconds), but I would advise to add the IP to the entrusted list.
Will offensively wait for nearly two hours, in case of a sixfold error of password entry from the IP (chance of this case not zero).

We open a config the file.
$ sudo nano /etc/fail2ban/jail.conf

In the line ignoreip =, the address is replaced with the IP.

ignoreip = Your.IP

We leave the nano editor (ctrl+x, we answer with y a question of saving of the made changes).

We overload service for application of changes in rules.
$ sudo service fail2ban restart

In case of Bang's operation in fail2ban logs, it is possible to notice a line of warning:
$ sudo tail -100 /var/log/fail2ban.log | less
2015-12-17 09:08:54,894 fail2ban.actions[7496]: WARNING [ssh] Ban 

And connection attempts from this address will beat off the server automatically before the expiration of Bang.
bash-3.2# ssh my.vnc -l vnc
ssh: connect to host port 22: Connection refused

It is ready, the VNC setup of the server is complete.

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus