How to Resolve/Prevent ‘Too Many Authentication Failures’ with VNC
If you are running VNC through Debian (Linux) on a server in order to have access to a graphical user interface, then you may encounter the error ‘Too many authentication failures’.
If this is the case, you will not be able to connect to your server, and the only way to resolve the issue is if you restart the vnc process (it is not necessary to restart the entire server). Unfortunately doing so will lead to a loss of any unsaved files. The following steps are also useful in order to prevent the ‘Too many authentication failures’ error from happening in the first place.
Why does this happen?
The likely reason why this occurs is due to bots crawling the internet and looking for vulnerable servers to attack. They will try to brute force their way into a server, which is a numbers game, and will only work on a small amount of servers. The server detects that it is being attacked and closes the VNC port to any new outside connections. This is to prevent bots from actually being able to brute force their way into your server and is a good thing, but is obviously frustrating for us.
How can we resolve and or prevent ‘Too many authentication failures’ from happening?
One way to resolve and/or prevent this attack is to restrict the IP addresses that can connect to the server from the outset. We can do this using the following procedure.
1. Connect to your server using SSH
As outlined in our original article How to Setup Monkersolver on a Debian 9 (Linux) Server using Contabo, you can connect to your server under Windows using PuTTY, for example. If you are running a Linux installation, just use the terminal provided with Linux.
Make sure to connect to your server as the ‘root’ user. If you are using Linux, enter the following command in the command line, where ‘server ip’ refers to the ip address of the server you are trying to connect to.
ssh root@server ip
Update 04.10.19: According to feedback from user ‘xbit’, it is not necessary to kill the vnc process to be able to regain access to the server. If you need to prevent data loss, you can skip step 2 and instead go straight to step 3 and wait for the server timeout to end, after which point you should be able to reconnect to your server based on your newly defined iptables rules.
2. Kill The Current VNC Server Process (Skip if currently not receiving the error!)
If your server has already been compromised, you are going to have to kill the current vnc process first, in order to restart it.
First find the process id (pid) of vnc using the following command:
pgrep vnc
You then need to kill the vnc process using the kill command. Replace ‘pid’ with the pid from the previous output. In some cases you may have to kill multiple processes, if you have already tried to restart the service without first killing the service.:
kill pid
Now restart the service, but make sure you switch to a non-root user first so that your vncserver is not running from the root user (e.g. using the command ‘su – vnc’). The last numbers refer to the resolution of the output of the display. Adjust accordingly to your needs:
vncserver -geometry 1920x1080
Your server has now been restarted and can be accessed again, but before you jump right back in, we need to change the firewall rules.
3. Restrict Access Using Iptables
Under Linux you define your firewall rules using the program ‘iptables’. Enter the following commands, and hit enter after each command.
You can use the following command to see the current rules of your firewall:
sudo iptables -S
Optionally you can clear all currently defined firewall rules. This command is useful to remove ip addresses that are no longer in use:
sudo iptables -F INPUT
Add your ip address to the list of accepted addresses on port 5901. By default VNC uses the port structure 5900+N, where N represents the display number for your VNC service that you would like to use (the default is 1 if you are running just one process). Change this according to your requirements. Replace ‘your ip’ with the actual ip address you would like to allow. You can easily find the public address of the computer you are currently using by typing ‘my ip’ into Google.
sudo iptables -I INPUT -p tcp -s your ip --dport 5901 -j ACCEPT
Reject all other ip addresses:
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 5901 -j DROP
And that’s it! Now you can use your server without having to worry about bots putting it out of comission.
Please subscribe for more future articles like this.
You dont need to kill vnc. Just add rules and wait some time.
And keep in mind if you reboot server all your firewall setting will gone. To save iptables install this package:
apt-get install iptables-persistent
Thank you for your comment xbit. I would like to add your information about not having to kill vncserver to the main article, but I’m having trouble finding documentation to support this claim. Perhaps you can link me to a relevant source.
Presumably it’s because VNC is setting a timeout before more attempts can be made and the bots are triggering it constantly, so once you solve that problem it will time out as it should.
Hi GS. Thank you for your input. You are correct that that’s how it would work in theory. I was just unable to confirm that there is actually such a timeout, which is why I’m hesitant to recommend xbit’s suggestion in the main article. However it’s here in the comments for people to take into consideration.
thanks for this! saved me from pulling my hair out for ages, thanks a lot 🙂
Internet service provider in my country change ip address every few hours.
Also that i carry laptop n work from different locations/internet/ip
So everytime if I get a error.. i should be using
iptables -I INPUT -p tcp -s your ip –dport 5901 -j ACCEPT
??
I keep some programs running in my vnc i don’t wish to close them..by resetting the vnc.
Hi Yug. If you are restricting the IP addresses that can access your server, then you will not get the “too many authentication errors” error and you will not have to restart your server if your IP address changes.
If you are changing your IP address frequently, you may want to look into a VPN with a static IP address. That way you can just connect to your VPN from whatever IP address you are currently using, and then connect to the server from there. Also keep an eye on the blog, as we will likely be posting an alternative solution shortly that would not require you to specify an IP address on the server.
that will be awesome… i will keep an eye on that.. also will check out guide how to use vpn for static ip..
is this static ip vpn free of charge ?
There are both free and paid VPNs. At this time we can not endorse any particular VPN that offers this service, but there are available services at a reasonable cost. I would recommend googling ‘static vpn ip address’ for options.
as xbit said
you dont need to kill the vnc or restart it .. just add the ip rule and wait for it ..
but how long to wait . ?
i added the ip rules … and waiting for .. 5mins already still getting same error… too many authentication failure error.
isnt there a way to refresh the ip tables so that it will be refected quickly ?
As I already responded to xbit and GS, I can not find documentation to support that waiting works. The problem is not that the ip table isn’t updated, it updates immediately, the problem is that the protocol is refusing all new incoming connections.
any other way like ssh login ?
i feel thats the most secure login ..but not sure how to do it ..
Running vnc as a non-root user, as described in the main guide for setting up a Linux server, and restricting ips is a very secure way to run and connect to your server. That being said, we will be releasing a guide later this month that will show how to connect to your vnc server using ssh, so stay tuned for that update.
will be eagerly waiting for a parmanent fix.
We have now released an updated guide with a different methodology for connecting to VNC. You can find it here.
All nonsense. Yet the scanners are out there, but to reset the alert settings of your VNC, all you need is a console and:
vncconfig -display :1 -set BlacklistTimeout=0 -set BlacklistThreshold=1000000
Thank you for sharing.
“-bash: vncconfig: command not found”
Any ideas?
You want to access ubuntu server with its graphical user interface you install TightVNC or xo. I installed TightVNC’s vncserver in my Ubuntu and was able to access it for a few days and then suddenly saw this: “Authentication reason: Too many authentication failures”. That drove me nuts and wouldn’t let me in.
The purpose to use the VNC is to keep the desktop-attached programs going, so one can check and continue the work at a latter time. The kill-and-restart VNC server is not a solution. The prevention of random IP addresses accessing to the VNC server is hard-coded in TightVNC without customizable options. It aims to enforce the local access only, i.e. ssh tunnelling for remote clients. To compromise between the vulnerability and inaccessibility, the ultimate solution is to trash TightVNC and install TigerVNC.