How secure is this SSH VNC Setup?

[deadaccount69]

Hi all. Just wanted to check that this SSH VNC setup is completely secure:

1. It is running over a 1mbit connection(105 kb/s at peak, In practise, only about 20kb/s AT MOST is going to be available for the SSH VNC connection(I am constantly running downloads and/or streaming videos/music.
2. The SSH is running over a secret, non-standard port.
3. It is using RSA encryption with a 4096 bit encryption key and plain old password authentication is disabled meaning the only way you are allowed to authenticate is using the 4096 bit key
4. I am using a long passphrase with the RSA encryption.
5. They will need to know my username(it is also a non-standard username)
6. The VNC service running through the SSH tunnel is using a strange port.
7. The VNC has a long passphrase for authentication.
8. The VNC server will ONLY accept loopback connections meaning they either have to be on the physical computer connecting to itself, or it has to be run through the SSH tunnel or else the VNC server will reject the connection.
9. My windows system has a password(its Windows 8 with a lock screen and it locks pretty quickly.)

What is the chance of someone getting through this?

 

EDIT: i forgot to note that the ssh tunnel is also encrypted with 256bit AES

EDIT 2: I also forgot to note that both shell and SFTP are disabled on my user account in freesshd. It only allows tunneling and that's it.

[deadaccount69]

Seriously? There are no network heads on this forum?

[madcow]

Assuming nothing else is listening and you have the software relatively up to date I think realistically no one will get in.

 

I suppose other things you can do include minimizing damage done if someone does get in by running the SSH environment in a chroot or VM. Also you can disallow specific functions of SSH by public key in authorized_keys. If you only use it for tunneling you can set options like no-X11-forwarding,no-agent-forwarding,no-pty.

[deadaccount69]

Assuming nothing else is listening and you have the software relatively up to date I think realistically no one will get in.

 

I suppose other things you can do include minimizing damage done if someone does get in by running the SSH environment in a chroot or VM. Also you can disallow specific functions of SSH by public key in authorized_keys. If you only use it for tunneling you can set options like no-X11-forwarding,no-agent-forwarding,no-pty.

How would I go about enabling those things on freeSSHd on windows? The more safe the better right? Wouldn't running it in a chroot/VM disable me from being able to control my windows?(I want to be able to monitor/start/stop downloads from my phone. Also, do you think if i set it to 8 colors with tight compression would it run on an EDGE connection(2g)? My phone does support 3g but i disable it because I generally just message and it doesn't waste my airtime as fast.

[deadaccount69]

also, can i set it up so that only my phone's mac address will be accepted in freesshd?(i would do my phone's ip address but that changes often so....)

[madcow]

I wasn't aware you're running this on Windows. I don't hear about sshd on Windows too often. That changes a few things. I've never used freeSSHd so I don't know how it is configured. If it is a *nix port though I'm guessing there is a text file called authorized_keys somewhere that it references. The file contains a list of public keys that it allows connections from. There are many guides on how you can configure this file. Here is one:

http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html

 

Chroot doesn't exist on Windows. If you go the VM route I think it would only make sense if you can move whatever you want to monitor remotely, on to the VM, so that you only need to be able to access the VM from outside and not your host machine.

 

As far as I know it is not possible to restrict access by mac address. Mac address is not preserved once you cross a router. SSH keys should serve this purpose.

[deadaccount69]

I already have ssh keys set up.