Dear all,
Some enterprising people scanned the whole range of IPv4 addresses for open VNC servers [1] and my casual browsing seems to indicate that a lot of them are QEMU VMs. I suspect that this is because just doing "-vnc :1" will listen on/bind to "0.0.0.0" (ie. on all the interfaces).
My suggestion for improvement would be:
- change the behaviour of "-vnc :port" such that it listens on "127.0.0.1" when the IP isn't specified
- if host is "0.0.0.0" (perhaps also include any routable IPv4 addresses - and non-link-local IPv6 addresses) and no authentication method is specified error out with a message like "It is recommended that you DO NOT expose the VNC server directly to the public internet. If you are sure of what you are doing, please specify an authentication method for the VNC server. See the documentation for more details"
I'm happy to supply patches if people agree on the desired approach.
Happy Holidays!
Attila Balazs
[1]
https://news.ycombinator.com/item?id=8810366