CentOS VNC远程桌面协议

CentOS VNC Remote Desktop Protocol: Configuration, Security, and Usage

VNC (Virtual Network Computing) is an open-source remote desktop protocol that enables users to graphically control a CentOS system from a remote client. It operates over the RFB (Remote Framebuffer Protocol), transmitting screen updates and input events between the server (CentOS) and client. Below is a structured guide covering setup, security, and troubleshooting for VNC on CentOS.

---

1. Core Components of VNC

• Server: Runs on the CentOS machine, capturing and transmitting the desktop display. Popular implementations include TigerVNC (recommended for CentOS 7/8) and TightVNC (lightweight option).
• Client: Connects to the server to view/control the desktop (e.g., RealVNC Viewer, TightVNC Viewer, or built-in Windows Remote Desktop).
• Protocol: Uses RFB for communication; data (screen updates, keystrokes) is sent in frames. By default, VNC is unencrypted, making encryption critical for security.

---

2. Basic VNC Server Setup on CentOS

Step 1: Install VNC Server

Update the system and install TigerVNC (the most widely used package for CentOS):

sudo yum update -y
sudo yum install tigervnc-server tigervnc-common -y

Step 2: Set a VNC Password

Run the vncpasswd command as the user you want to grant remote access to. This creates a password (stored in ~/.vnc/passwd) for authentication:

vncpasswd

• Enter and confirm a strong password (at least 8 characters). The maximum length is 8 characters for traditional VNC.

Step 3: Configure the VNC Service

Copy the default systemd service file to create a user-specific configuration (e.g., for user centos and display :1):

sudo cp /usr/lib/systemd/system/vncserver@.service /usr/lib/systemd/system/vncserver@:1.service

Edit the copied file to replace with your username and adjust settings (e.g., resolution, color depth):

sudo vi /usr/lib/systemd/system/vncserver@:1.service

Example configuration for user centos:

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
User=centos
Group=centos
WorkingDirectory=/home/centos
PIDFile=/home/centos/.vnc/%H:1.pid
ExecStartPre=-/usr/bin/vncserver -kill :1 > /dev/null 2>&1 || :
ExecStart=/usr/bin/vncserver :1 -geometry 1920x1080 -depth 24
ExecStop=/usr/bin/vncserver -kill :1

[Install]
WantedBy=multi-user.target

• :1 corresponds to TCP port 5901 (default: 5900 + display number).
• -geometry sets screen resolution (e.g., 1920x1080).
• -depth sets color depth (e.g., 24 for 16.7M colors).

Step 4: Start and Enable the VNC Service

Reload systemd to apply changes, then start and enable the service:

sudo systemctl daemon-reload
sudo systemctl start vncserver@:1.service
sudo systemctl enable vncserver@:1.service

Step 5: Configure Firewall

Allow incoming traffic to the VNC port (default: 5901 for :1) using firewalld:

sudo firewall-cmd --permanent --add-port=5901/tcp
sudo firewall-cmd --reload

For SELinux, ensure it allows VNC connections (run as root):

setsebool -P vncserver_enable_homedirs 1

---

3. Enhancing VNC Security

A. Use Encryption

Unencrypted VNC is vulnerable to MITM attacks. Encrypt connections using one of these methods:

1. SSH Tunnel (Recommended for Most Users)

SSH encrypts all traffic between the client and server. On the client machine (local), run:

ssh -L 5901:localhost:5901 centos@

• Replace with the server’s IP.
• This forwards local port 5901 to the server’s localhost:5901 (VNC port).
• Connect the VNC client to localhost:5901.

2. TigerVNC/TightVNC Built-in Encryption

• TigerVNC: Edit /etc/tigervnc/tigervncserver.conf and add:

  encryption_level=high
  

  Restart the VNC service after saving changes.

• TightVNC: Edit /etc/tightvncserver.conf and set:

  encryption_level=high
  

3. SSL/TLS Certificates (Enterprise-Grade)

Generate a self-signed certificate and configure the VNC server to use it:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/vnc.key -out /etc/pki/tls/certs/vnc.crt

Edit the VNC config file to point to the certificate:

ssl_cert=/etc/pki/tls/certs/vnc.crt
ssl_key=/etc/pki/tls/private/vnc.key

B. Strengthen Authentication

• Strong Passwords: Use complex passwords (mix of uppercase, lowercase, numbers, symbols) and change them every 90 days.
• Limit Users: Restrict VNC access to specific users by editing the systemd service file and adding:

  User=
  Group=
  

C. Restrict Access via Firewall

Only allow trusted IP addresses to connect to the VNC port. For example, to allow only 192.168.1.100:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="5901" protocol="tcp" accept'
sudo firewall-cmd --reload

---

4. Connecting to the VNC Server

From a Windows Client

1. Download and install a VNC client (e.g., RealVNC Viewer).
2. Open the client and enter the server’s IP address followed by the display number (e.g., 192.168.1.100:1).
3. Enter the VNC password when prompted.

From a Linux Client

Install a VNC client (e.g., tigervnc-viewer) and connect using:

vncviewer :1

---

5. Troubleshooting Common Issues

• Port Conflicts: Ensure no other service uses the VNC port (5900 + display number). Check with:

  sudo netstat -tulnp | grep vnc
  

• Firewall Blocking: Verify firewall rules with sudo firewall-cmd --list-all and allow the VNC port if blocked.
• Permission Denied: Ensure the .vnc directory and password file have correct permissions:

  chmod 700 ~/.vnc
  chmod 600 ~/.vnc/passwd
  

• Black Screen: Install a desktop environment (e.g., GNOME) if missing:

  sudo yum groupinstall "Server with GUI" -y
  

---

By following these steps, you can set up a secure and functional VNC remote desktop on CentOS. Always prioritize encryption and strong authentication to protect against unauthorized access.

以上就是关于“CentOS VNC远程桌面协议”的相关介绍，筋斗云是国内较早的云主机应用的服务商，拥有10余年行业经验，提供丰富的云服务器、租用服务器等相关产品服务。云服务器资源弹性伸缩，主机vCPU、内存性能强悍、超高I/O速度、故障秒级恢复；电子化备案，提交快速，专业团队7×24小时服务支持！

简单好用、高性价比云服务器租用链接：https://www.jindouyun.cn/product/cvm