4.2 Security On Linux Devices

4.2.1 Authentication

Remote Management on a Linux device is controlled by xinetd super service daemon on the device. This service is automatically started on the device during the device boot up. When a remote operator initiates a remote session to the device, the xinetd launches a Remote Management service to start the Remote Management X-Server depending on the type of the remote operation to be performed on the device:

  • For Remote Control or Remote View, the x11vnc service is started

  • For Remote Login, the xvnc service is started

To prevent unauthorized access to the managed device, the Remote Management service on the managed device uses Password-Based Remote Management Authentication. This is the traditional VNC password authentication scheme, where in the remote operator is prompted to enter a password to launch the remote session on the managed device.

4.2.2 Password Strength

Use secure passwords. Keep the following guidelines in mind:

  • Length: The minimum recommended length is 6 characters.The maximum length of a VNC password is 8 characters. This password scheme is inherently weak and is provided only for interoperability with the open source components.

  • Complexity: A secure password contains a mix of letters and numbers. It should contain both uppercase and lowercase letters and at least one numeric character. Adding numbers to passwords, especially when they are added to the middle and not just at the beginning or the end, can enhance password strength. Special characters such as &, *, $, and > can greatly improve the strength of a password. Do not use recognizable words such as proper names or words from a dictionary, and do not use personal information such as phone numbers, birth dates, anniversary dates, addresses, or ZIP codes.

4.2.3 Ports

By default, the Remote Management service for Remote Control and Remote View runs on port 5950 and the Remote Management service for Remote Login runs on port 5951. The Remote device should be configured to allow the ports 5950 and 5951 through the firewall.

By default, the remote management proxy listens on port 5750.

4.2.4 Ask Permission from the User on the Managed Device

When user is logged on to a Linux managed device and a remote operator initiates a Remote Control or Remote View session to the device, the user on the managed device is asked permission before the Remote Control or Remote View session starts on the device.