CentOS VNC遠程桌面協議

CentOS VNC Remote Desktop Protocol: Configuration, Security, and Usage

VNC (Virtual Network Computing) is an open-source remote desktop protocol that enables users to graphically control a CentOS system from a remote client. It operates over the RFB (Remote Framebuffer Protocol), transmitting screen updates and input events between the server (CentOS) and client. Below is a structured guide covering setup, security, and troubleshooting for VNC on CentOS.

1. Core Components of VNC

Server: Runs on the CentOS machine, capturing and transmitting the desktop display. Popular implementations include TigerVNC (recommended for CentOS 7/8) and TightVNC (lightweight option).
Client: Connects to the server to view/control the desktop (e.g., RealVNC Viewer, TightVNC Viewer, or built-in Windows Remote Desktop).
Protocol: Uses RFB for communication; data (screen updates, keystrokes) is sent in frames. By default, VNC is unencrypted, making encryption critical for security.

2. Basic VNC Server Setup on CentOS

Step 1: Install VNC Server

Update the system and install TigerVNC (the most widely used package for CentOS):

sudo yum update -y
sudo yum install tigervnc-server tigervnc-common -y

Step 2: Set a VNC Password

Run the vncpasswd command as the user you want to grant remote access to. This creates a password (stored in ~/.vnc/passwd) for authentication:

vncpasswd

Enter and confirm a strong password (at least 8 characters). The maximum length is 8 characters for traditional VNC.

Step 3: Configure the VNC Service

Copy the default systemd service file to create a user-specific configuration (e.g., for user centos and display :1):

sudo cp /usr/lib/systemd/system/vncserver@.service /usr/lib/systemd/system/vncserver@:1.service

Edit the copied file to replace <USER> with your username and adjust settings (e.g., resolution, color depth):

sudo vi /usr/lib/systemd/system/vncserver@:1.service

Example configuration for user centos:

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
User=centos
Group=centos
WorkingDirectory=/home/centos
PIDFile=/home/centos/.vnc/%H:1.pid
ExecStartPre=-/usr/bin/vncserver -kill :1 > /dev/null 2>&1 || :
ExecStart=/usr/bin/vncserver :1 -geometry 1920x1080 -depth 24
ExecStop=/usr/bin/vncserver -kill :1

[Install]
WantedBy=multi-user.target

:1 corresponds to TCP port 5901 (default: 5900 + display number).
-geometry sets screen resolution (e.g., 1920x1080).
-depth sets color depth (e.g., 24 for 16.7M colors).

Step 4: Start and Enable the VNC Service

Reload systemd to apply changes, then start and enable the service:

sudo systemctl daemon-reload
sudo systemctl start vncserver@:1.service
sudo systemctl enable vncserver@:1.service

Step 5: Configure Firewall

Allow incoming traffic to the VNC port (default: 5901 for :1) using firewalld:

sudo firewall-cmd --permanent --add-port=5901/tcp
sudo firewall-cmd --reload

For SELinux, ensure it allows VNC connections (run as root):

setsebool -P vncserver_enable_homedirs 1

3. Enhancing VNC Security

A. Use Encryption

Unencrypted VNC is vulnerable to MITM attacks. Encrypt connections using one of these methods:

1. SSH Tunnel (Recommended for Most Users)

SSH encrypts all traffic between the client and server. On the client machine (local), run:

ssh -L 5901:localhost:5901 centos@<CENTOS_SERVER_IP>

Replace <CENTOS_SERVER_IP> with the server’s IP.
This forwards local port 5901 to the server’s localhost:5901 (VNC port).
Connect the VNC client to localhost:5901.

2. TigerVNC/TightVNC Built-in Encryption

TigerVNC: Edit /etc/tigervnc/tigervncserver.conf and add:
```
encryption_level=high
```
Restart the VNC service after saving changes.
TightVNC: Edit /etc/tightvncserver.conf and set:
```
encryption_level=high
```

3. SSL/TLS Certificates (Enterprise-Grade)

Generate a self-signed certificate and configure the VNC server to use it:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/vnc.key -out /etc/pki/tls/certs/vnc.crt

Edit the VNC config file to point to the certificate:

ssl_cert=/etc/pki/tls/certs/vnc.crt
ssl_key=/etc/pki/tls/private/vnc.key

B. Strengthen Authentication

Strong Passwords: Use complex passwords (mix of uppercase, lowercase, numbers, symbols) and change them every 90 days.
Limit Users: Restrict VNC access to specific users by editing the systemd service file and adding:
```
User=<allowed_user>
Group=<allowed_group>
```

C. Restrict Access via Firewall

Only allow trusted IP addresses to connect to the VNC port. For example, to allow only 192.168.1.100:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="5901" protocol="tcp" accept'
sudo firewall-cmd --reload

4. Connecting to the VNC Server

From a Windows Client

Download and install a VNC client (e.g., RealVNC Viewer).
Open the client and enter the server’s IP address followed by the display number (e.g., 192.168.1.100:1).
Enter the VNC password when prompted.

From a Linux Client

Install a VNC client (e.g., tigervnc-viewer) and connect using:

vncviewer <CENTOS_SERVER_IP>:1

5. Troubleshooting Common Issues

Port Conflicts: Ensure no other service uses the VNC port (5900 + display number). Check with:
```
sudo netstat -tulnp | grep vnc
```
Firewall Blocking: Verify firewall rules with sudo firewall-cmd --list-all and allow the VNC port if blocked.
Permission Denied: Ensure the .vnc directory and password file have correct permissions:
```
chmod 700 ~/.vnc
chmod 600 ~/.vnc/passwd
```
Black Screen: Install a desktop environment (e.g., GNOME) if missing:
```
sudo yum groupinstall "Server with GUI" -y
```

By following these steps, you can set up a secure and functional VNC remote desktop on CentOS. Always prioritize encryption and strong authentication to protect against unauthorized access.