If you are running VNC through Debian (Linux) on a server in order to have access to a graphical user interface, then you may encounter the error ‘Too many authentication failures’.
If this is the case, you will not be able to connect to your server, and the only way to resolve the issue is if you restart the vnc process (it is not necessary to restart the entire server). Unfortunately doing so will lead to a loss of any unsaved files. The following steps are also useful in order to prevent the ‘Too many authentication failures’ error from happening in the first place.
Why does this happen?
The likely reason why this occurs is due to bots crawling the internet and looking for vulnerable servers to attack. They will try to brute force their way into a server, which is a numbers game, and will only work on a small amount of servers. The server detects that it is being attacked and closes the VNC port to any new outside connections. This is to prevent bots from actually being able to brute force their way into your server and is a good thing, but is obviously frustrating for us.
How can we resolve and or prevent ‘Too many authentication failures’ from happening?
One way to resolve and/or prevent this attack is to restrict the IP addresses that can connect to the server from the outset. We can do this using the following procedure.
1. Connect to your server using SSH
As outlined in our original article How to Setup Monkersolver on a Debian 9 (Linux) Server using Contabo, you can connect to your server under Windows using PuTTY, for example. If you are running a Linux installation, just use the terminal provided with Linux.
Make sure to connect to your server as the ‘root’ user. If you are using Linux, enter the following command in the command line, where ‘server ip’ refers to the ip address of the server you are trying to connect to.
ssh root@server ip
Update 04.10.19: According to feedback from user ‘xbit’, it is not necessary to kill the vnc process to be able to regain access to the server. If you need to prevent data loss, you can skip step 2 and instead go straight to step 3 and wait for the server timeout to end, after which point you should be able to reconnect to your server based on your newly defined iptables rules.
2. Kill The Current VNC Server Process (Skip if currently not receiving the error!)
If your server has already been compromised, you are going to have to kill the current vnc process first, in order to restart it.
First find the process id (pid) of vnc using the following command:
You then need to kill the vnc process using the kill command. Replace ‘pid’ with the pid from the previous output. In some cases you may have to kill multiple processes, if you have already tried to restart the service without first killing the service.:
Now restart the service, but make sure you switch to a non-root user first so that your vncserver is not running from the root user (e.g. using the command ‘su – vnc’). The last numbers refer to the resolution of the output of the display. Adjust accordingly to your needs:
vncserver -geometry 1920x1080
Your server has now been restarted and can be accessed again, but before you jump right back in, we need to change the firewall rules.
3. Restrict Access Using Iptables
Under Linux you define your firewall rules using the program ‘iptables’. Enter the following commands, and hit enter after each command.
You can use the following command to see the current rules of your firewall:
sudo iptables -S
Optionally you can clear all currently defined firewall rules. This command is useful to remove ip addresses that are no longer in use:
sudo iptables -F INPUT
Add your ip address to the list of accepted addresses on port 5901. By default VNC uses the port structure 5900+N, where N represents the display number for your VNC service that you would like to use (the default is 1 if you are running just one process). Change this according to your requirements. Replace ‘your ip’ with the actual ip address you would like to allow. You can easily find the public address of the computer you are currently using by typing ‘my ip’ into Google.
sudo iptables -I INPUT -p tcp -s your ip --dport 5901 -j ACCEPT
Reject all other ip addresses:
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 5901 -j DROP
And that’s it! Now you can use your server without having to worry about bots putting it out of comission.
Please subscribe for more future articles like this.