Virtual Network Computing (VNC) relies on a specific range of port numbers to establish remote graphical connections between machines. Understanding which ports are used, how they are allocated, and the security implications is essential for network administrators and power users managing server infrastructure.
Standard VNC Port Allocation
The foundational VNC port numbers follow a predictable pattern based on the display number. The default VNC server port is calculated by adding 5900 to the display number. For example, a display of :0 uses port 5900, display :1 uses port 5901, and this sequence continues incrementally for subsequent displays on the same server.
Display Numbers and Corresponding Ports
This standardization allows for easy prediction and configuration, especially in environments running multiple VNC sessions on a single physical or virtual machine. The protocol typically uses TCP for reliable data transmission, ensuring the remote screen updates and input events are delivered accurately.
Web-Based VNC and HTTP Ports
Many modern VNC implementations bypass the need for a dedicated client by leveraging web browsers. These solutions often utilize an HTTP port, usually 5800 plus the display number, to serve the Java Web Start or HTML5 viewer. For display :0, the web interface listens on port 5800, and for display :1, it is port 5801.
This dual-port setup means that a single VNC server instance can handle both direct protocol connections and browser-based access simultaneously. Administrators must ensure both the 59xx and 58xx ports are open and correctly routed if they intend to offer web access to their remote desktops.
Custom and Alternative Configurations
While the 5900 and 5800 ranges are the IANA registered standards, flexibility is a key feature of VNC deployments. It is common practice to change the default port numbers for security through obscurity or to comply with specific network policies. This is often done in the server configuration file or via command-line arguments when launching the VNC process.
For instance, a user might redirect traffic from the standard 5900 port to a custom port like 6000 or 8080 to avoid automated bot scans or to share the service behind a NAT that reserves common ports for other applications. This configuration change must be mirrored on the client side to establish a successful connection.
Security Considerations and Firewall Management
Open VNC ports are a common attack surface, as they provide direct access to a graphical session of the target machine. Without strong passwords or encrypted tunnels, these ports can be exploited for unauthorized access or credential harvesting. Implementing a firewall to restrict access to trusted IP addresses is a critical mitigation step.
Combining VNC with SSH tunneling or VPNs effectively encrypts the traffic, transforming the connection into a secure channel. This approach hides the VNC port numbers from the public internet, significantly reducing the risk of exposure and unauthorized intrusion attempts.
