Allow Connections to VNC Server Only From Specific IP Addresses

I administrate an Ubuntu 11.10 Server. I've installed tightvncserver on it so I can have a desktop environment on the server.

My issue now is, I'm running into issues with malicious people spamming the VNC server with authentication attempts. I've strengthened up the password, but it's still inconvenient as it restricts me from connecting as the person is using up all the authentication attempts.

There are pretty much around 5 IP addresses that should be able to ATTEMPT to authenticate to the VNC server, this person is using proxies from Romania, China, Korea, etc.

How can I accept authentication attempts to ONLY the IP addresses I specify?

Essentially, I want to do the opposite of this: How to deny VNC access to a particular IP?

And this with VNC instead: How can I allow SSH password authentication from only certain IP addresses?

Any ideas?

Thanks, Brandon

Solution 1:

You could use ufw - the "uncomplicated firewall" that comes with a standard ubuntu install.

sudo ufw allow 22/tcp
sudo ufw allow 5901/tcp from 12.34.56.78
sudo ufw default reject incoming
sudo ufw enable

Which is:

• allow ssh connections (otherwise you will lock yourself out)
• allow VNC connections from one IP address (edit the port if you don't use 5901)
• reject all other incoming connections
• enable the firewall

Make sure you allow ssh before enabling the firewall, otherwise you'll be locked out.