When configuring a VNC service on a Linux system, the default setting typically uses the standard port 5900 as the starting port. The default port number can pose certain risks, and changing the VNC port number has become a common security hardening measure. This can reduce the likelihood of being scanned by automated attack tools and also allow for better management of different remote desktop sessions in a multi-user environment.

To change the VNC port number, you first need to understand the VNC server software you are using. Common VNC servers include TigerVNC, TightVNC, and RealVNC, each with slightly different configuration methods. Most modern Linux distributions come pre-installed with some form of VNC server, or you can easily install one using a package manager. Before you begin making changes, it's best to confirm the type and version of the VNC server installed on your system, as this will help you find the correct configuration file and method.

For most VNC servers, the most direct way to change the port number is to specify the port when starting the service via command-line arguments. For example, when using TigerVNC, you can start a VNC session on a specified port like this:

vncserver -geometry 1920x1080 -depth 24 -localhost no -rfbport 5999

The `-rfbport 5999` parameter explicitly tells the VNC server to listen on port 5999 instead of the default port 5900. This method is suitable for temporarily started VNC sessions, but if you want to use the same non-standard port every time you start a session, you'll need to modify the configuration file or create a custom startup script.

A more common approach is to modify the VNC server's configuration file. Different VNC server software stores their configuration files in different locations. For example, TigerVNC's configuration file is usually located at `~/.vnc/config` or `/etc/tigervnc/vncserver.config`. Open this file, and you can find or add a line specifying the port:

rfbport=5999

After saving the file, restart the VNC service for the changes to take effect. For system-level configuration, you might need to edit another configuration file, `/etc/tigervnc/vncserver.users`, which maps system users to specific display IDs and ports.

If you are using a TightVNC server, the configuration method is different. TightVNC's configuration file is usually located at `~/.vncrc`. You need to find or add the following lines:

$rfbauth = "/home/username/.vnc/passwd";
$rfbport = 5999;

After making the changes, you need to restart the VNC service process. For VNC servers running in system service mode (managed using systemd), you need to restart the service using the following command:

sudo systemctl restart vncserver@:1.service

Note that `@:1` here corresponds to display ID 1. If you have configured multiple display IDs, you may need to restart different service instances.

Understanding how port numbers are calculated is important when configuring a multi-user VNC environment. Traditionally, VNC port numbers consist of 5900 plus the display ID. Display ID 1 corresponds to port 5901, display ID 2 corresponds to port 5902, and so on. When you change the port number, you need to ensure that different display sessions use non-conflicting ports. Some VNC servers allow you to configure ports separately for each user or each display ID, which provides flexibility for port management in complex environments.

After changing the port, don't forget to update the firewall rules. If the system has a firewall enabled (such as firewalld or iptables/UFW), you need to open the newly configured port. For example, with firewalld, you can use the following commands:

sudo firewall-cmd --permanent --add-port=5999/tcp
sudo firewall-cmd --reload

For systems using iptables, the corresponding commands are:

sudo iptables -A INPUT -p tcp --dport 5999 -j ACCEPT
sudo service iptables save

These commands ensure that the firewall allows traffic through the newly configured VNC port.

Security considerations are not limited to changing port numbers. Using non-standard ports can indeed block some automated attack scripts, but for experienced hackers, it's just a minor obstacle. Therefore, it's recommended to combine port changes with other security measures. For example, configure the VNC server to only allow local connections, and then access the VNC service via an SSH tunnel. This way, all VNC traffic is transmitted over an encrypted SSH connection, significantly increasing security. The command to establish an SSH tunnel is as follows:

ssh -L 5901:localhost:5901 username@your_server_ip

Then, you can connect to localhost:5901 from your local VNC client, and all traffic will be transmitted to the remote server encrypted via SSH.

Another important security measure is using strong passwords and changing them regularly. Most VNC servers support password authentication, and you can create or change passwords using the `vncpasswd` command:

vncpasswd

After interactively entering and confirming the password, the password file (usually `~/.vnc/passwd`) will be created or updated. Ensure this file's permissions are set to read-only by the owner:

chmod 600 ~/.vnc/passwd

After modifying the port and related configurations, how do you test if the new configuration has taken effect? ​​The simplest way is to use the `netstat` or `ss` command to check the port listening status:

sudo netstat -tlnp | grep vnc

Or use the more modern `ss` command:

sudo ss -tlnp | grep vnc

These commands will list all listening TCP ports and their corresponding processes. You should see the VNC server listening on the new port you configured.

Besides command-line testing, you can also try connecting to the new port using a VNC client. Most VNC clients (such as TigerVNC Viewer, RealVNC Viewer, etc.) allow specifying the port number when connecting. Simply add a colon and the port number after the server address, for example: `your_server_ip:5999`. If the connection succeeds, the port configuration is correct; if it fails, you need to check the configuration steps and firewall settings.

In practice, you may encounter some common problems. If the VNC service fails to start after changing the port, first check if the port is already in use by another service. You can check the usage of a specific port using `sudo lsof -i :5999` or `sudo netstat -tlnp | grep 5999`. If the port is in use, either stop the service using that port or choose a different port for VNC.

Another common issue is that SELinux might prevent the VNC server from running on a new port. If you are using a system with SELinux enabled (such as CentOS, RHEL, Fedora, etc.), you may need to update the SELinux policy to allow VNC to use non-standard ports. You can add an SELinux port label using the following command:

sudo semanage port -a -t vnc_port_t -p tcp 5999

This command marks TCP port 5999 as a port available for the VNC service. To view currently marked VNC ports, you can use:

sudo semanage port -l | grep vnc_port_t

Some VNC server versions, especially older ones, may not support directly setting port numbers in the configuration file. In this case, you might need to consider upgrading the VNC server software or using more complex Network Address Translation (NAT) rules to redirect ports. For example, you can use iptables to redirect an externally accessed port to the actual listening port of the VNC:

sudo iptables -t nat -A PREROUTING -p tcp --dport 5999 -j REDIRECT --to-port 5901

This rule redirects all TCP connections arriving at port 5999 to port 5901, while the VNC server still listens on the default port 5901. While this method is not as direct as directly modifying the VNC port, it is a viable alternative under certain constraints.

Finally, remember to document your configuration changes. Whether managing configuration files through a version control system or simply keeping a text record, documenting configuration changes is a good system administration practice. These records are invaluable when services need to be migrated or troubleshooted.