Why does this install VNC? about parsec-cloud-preparation-tool HOT 8 CLOSED

Hi James. You are correct. I misread your statement about the firewall ::shame:: I saw your statement 'you can also just not allow TCP port 5900' and didn't see the default setting part. Thanks for the script and sorry about the unjustified freak-out.

from parsec-cloud-preparation-tool.

Without explanation too. I think it's safe to assume it's to hack into your server with root access.

from parsec-cloud-preparation-tool.

See Using The Parsec AMI On Amazon:

BACKUP - USE VNC
The Parsec AMI comes pre-installed with VNC for troubleshooting purposes. VNC runs with elevated privileges and is able to function in certain situations where Parsec cannot. VNC uses port TCP 5900, and has a default password of 4ubg9sde. Make sure to only allow connections to port 5900 from your IP, and change the default password immediately on login  — please do these two things. It’s a major security risk if you don’t. [emphasis mine]

I agree that this important security info should also be included in the README here.

from parsec-cloud-preparation-tool.

Since all of the machines are server SKU, it seems like it'd be way better to enable RDP instead? Azure already does this by default, and it's way more sane than VNC

from parsec-cloud-preparation-tool.

Without explanation too. I think it's safe to assume it's to hack into your server with root access.

You're out of your mind.

The reason I enable VNC is because you need a secondary method for accessing the VM that doesn't protect the desktop. RDP protects the desktop while also creating a virtual desktop session and thus breaks Parsec.

You can change the password - you can also just not allow TCP port 5900 in the firewall - by default your AWS firewall doess not allow 5900...so there is no risk of unauthorized access unless you explicitly enable it. You can also set the firewall to only accept inbound connections from specific IP address', not 0.0.0.0 (all).

I agree that this important security info should also be included in the README here.

Happy to do so

from parsec-cloud-preparation-tool.

Hi James. Sorry that my tone upset you, but consider. You have a script that runs EC2 instance with full rights on other people's machines. It opens a connection that allows anyone complete access to the instance. Any reasonable person should make the assumption I did. Yes, you didn't intend to take over peoples machines, but anyone coming across this project can write a trivially simple scanner that can. The internet's a dangerous place and we need to make it as secure as possible. I think it's great you threw this script together, but one string of break-in attacks and we won't be able to use any more cool scripts like yours. Cheers.

from parsec-cloud-preparation-tool.

Hi James. Sorry that my tone upset you, but consider. You have a script that runs EC2 instance with full rights on other people's machines. It opens a connection that allows anyone complete access to the instance. Any reasonable person should make the assumption I did. Yes, you didn't intend to take over peoples machines, but anyone coming across this project can write a trivially simple scanner that can. The internet's a dangerous place and we need to make it as secure as possible. I think it's great you threw this script together, but one string of break-in attacks and we won't be able to use any more cool scripts like yours. Cheers.

VNC is not exposed to the internet unless you specificaly make changes to your AWS/Azure security group in order to allow port 5900 inbound. By default, VNC has no capability to connect to the internet.

I will document the install of VNC in the readme, along with its TCP port as well as a reminder to change the password and lock TCP 5900 down to a single IP address.

from parsec-cloud-preparation-tool.

A warning has been added to the readme.md

from parsec-cloud-preparation-tool.