other: 0.158 device: 0.097 semantic: 0.096 vnc: 0.093 network: 0.091 PID: 0.081 socket: 0.079 performance: 0.057 files: 0.055 debug: 0.049 boot: 0.045 permissions: 0.042 KVM: 0.031 graphic: 0.026 network: 0.647 debug: 0.071 other: 0.050 files: 0.036 socket: 0.034 vnc: 0.029 semantic: 0.026 device: 0.024 permissions: 0.020 PID: 0.019 performance: 0.016 boot: 0.013 graphic: 0.010 KVM: 0.004 Request to add something like "Auth failed from IP" log report for built-in VNC server In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on. Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability. Adding a simple log record like "QEMU VNC Authentication failed 192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate it to fail2ban system. Note that any use of the built-in VNC-auth scheme is always considered a security flaw. It should essentially never be used, especially not on any public internet facing service, even if fail2ban were able to be used. A secure VNC server should use the VeNCrypt extension which enables TLS, with optional client certificate validation as an auth mechanism. Once you have TLS enabled, you can also then enable the SASL auth mechanism to further authenticate clients using Kerberos or PAM, or other SASL plugins. That's not to say we shouldn't emit a log message, suitable for consuming from fail2ban, as remote clients can still trigger a CPU denial of service by repeatedly connecting even if they ultimately always fail authentication. On Wed, 8 May 2019 at 14:23, Daniel Berrange