Ports

Port 5900: VNC

Remote desktop protocol. Security depends heavily on configuration and tunneling.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 5900 is commonly used by VNC, a remote desktop and screen sharing protocol. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

A VNC server binds to 5900, and a client connects from an ephemeral source port. After the TCP handshake, the two sides negotiate protocol options and authentication, then the server streams screen updates while the client sends mouse and keyboard events.

Many VNC implementations historically offered weak encryption or none, so the safe posture is to treat VNC as an internal only service or to wrap it in a secure tunnel such as SSH or a VPN. From a security perspective, exposed 5900 is a common finding in scans and can lead to unauthorized desktop access if passwords are weak or the service is misconfigured.

How it works in broad strokes

  1. Client connects and negotiates the VNC protocol and supported authentication methods.
  2. User authenticates and the server streams framebuffer updates while receiving input events.
  3. If VNC is tunneled, the VNC traffic rides inside SSH or a VPN rather than being directly exposed.

Concrete example

A Linux workstation runs VNC for remote support. The team disables direct 5900 exposure and requires SSH port forwarding, so only authenticated SSH users can reach the VNC server.

Why it matters

VNC is a frequent finding in internal scans and on lab systems. Exposed VNC can lead to full interactive control, so it is treated as a high impact service similar to RDP. Even with encryption, weak passwords and lack of MFA remain a problem.

Security angle

  • Require a VPN or SSH tunnel, enforce strong auth, and restrict by network.
  • Disable unused VNC servers and patch regularly.
  • Monitor for repeated auth failures and new listening services.

Common pitfalls

  • Running VNC without encryption or with default passwords.
  • Exposing 5900 beyond a management network.
  • Assuming a tunneled setup is safe while leaving the tunnel endpoints poorly protected.