I ran into a problem with someone trying to hack a vncserver, so it got
blocked with too many retries for everyone.
I didn't want to go down the path of tcpd, so I modified the 1.3.10 code.
Attached are my changes (from Xvnc/program/Xserver/hw/)
The idea is each max retry failure adds to a blocklist.
The blocklist is in memory and gets put in ~/.vnc/blockip (configurable
The blocklist is reread with a kill -HUP on Xvnc (so you can remove a
block without restarting)
Once in the blocklist, the client is is refused in socket.c (so the
normal timer resets will work).
I have only tested in linux.
Also optionally(?) read hosts.deny
Make the blockedIPs array dynamic in size (currently static with #define
MAX_BLOCK_IP in rfb.h)
The blocking in auth.c is done in 2 places, but probably just needs to
be in one of them.
> Possible improvements:
> Also optionally(?) read hosts.deny
> Make the blockedIPs array dynamic in size (currently static with
> #define MAX_BLOCK_IP in rfb.h)
> The blocking in auth.c is done in 2 places, but probably just needs to
> be in one of them.
Additional possible improvements:
Could put MAX_BLOCK_IP as a token in the blockip file.
Should probably clear "max retries" flag instead of awaiting for the timer,
since the ip is immediately blocked.