Is there a downside to installing VNC?

ubuntu vnc

Solution 1:

There are a great many reasons:

  • Attack surface: more programs, especially networked ones, means more opportunities for someone to find a bug and get in.

  • Defect surface: as above, but replace "someone" with "Murphy", and "get in" with "ruin your day". Actually, "ruin your day" probably applies to the previous point, too.

  • System efficiency: X11, and the GUI environments that people tend to run on them, consume a decent amount of RAM, especially on a limited resources system like a NUC. Not running them means more resources for doing useful work.

  • Operator efficiency: GUIs do not lend themselves to scripting and other forms of automation. Clicking on things feels productive, but it's actually about the worst way to do something deeply technical. You'll also find your future employment opportunities severely limited if you can't script and automate away your job -- the industry is going away from GUI admin tools. Heck, even Windows server can be installed GUI-free these days, and if that doesn't make you think about the relative merits of only knowing how to click on things, I really don't know what to say to you.

Solution 2:

The problem isn't VNC - don't get me wrong, VNC is a horrible protocol and has many flaws (the biggest being the lack of encryption support so everything goes over the network in plain text), but it isn't the main reason its usage is not recommended on servers.

You're going to install VNC to access what, a black screen ? No, you wanted to access an entire desktop environment, and that is the real problem.

Once you install all this desktop-grade Gnome (or similar) software you can already consider your server compromised, since there are so many bugs left to be exploited in this horrible, huge collection of applications (besides the fact that it's not designed for productivity and uses a ton of resources). Once of the other reasons why I don't recommend this software and most of the Linux desktop environments is that they take over the entire system almost like a rootkit, and implement their own versions of everything (authentication ? No more rock solid users and groups, let's run this Policykit nonsense as root that gives permissions based on some unreadable, obscure XML files... configuration ? Who needs human-readable config files ? Let's store everything in binary databases that you can't really see nor edit unless you use their provided utilities, just like the Windows registry, and also let's start a bunch of daemons as root to use up resources even when you're not using the desktop).

Trying to install a Gnome desktop environment on my Archlinux server tells me "Total Installed Size: 1370.86 MiB". That is huge, imagine the extra attack surface this ex-server will have once it's installed. Other desktop environments aren't much better.

Solution 3:

Obviously you're opening up another port for an attacker; rebuttal: we're behind two university firewalls (the main university network firewall as well as our subnet's own special firewall). VNC would only be able to be accomplished inside our subnet, so I'm at a loss...

Never assume that because your system is behind a firewall, on a private network, you don't need to worry about security. Many, if not most, successful intrusions are performed by insiders (employees, students, etc) that have access to said networks.

Related

How to remove access to a port using firewall on Centos7?
unknown directive "stream" in /etc/nginx/nginx.conf:86
What programmer things should every sysadmin know?
How to receive email using Amazon SES
Make ls print it all on one line (like in terminal)
Cutting an UTP cable while it's plugged in
Download urls listed in a file using curl? [closed]
Linux mv file with long name
Should I force my users to change passwords every n days/weeks/month?
How to Restart explorer.exe Remotely?
What could make `>` silently fail in Linux?
Publishing id_rsa.pub for easier setup of new environments?