Unattended servers normally do provide a minimum set of applications to avoid security vulnerabilities due large amout of software. In some cases people still want to install a remote User Interface (UI) session to those servers to play around with technology. There are multiple tools which can be utilized:

• Teamviewer
  Famous among windows platforms. Due to package   dependencies the native installer might not work properly. Ubuntu for instance require manual dependency resolution and installation. If no monitor is connected to the hardware, this method will experience issues in starting the x-Server as the whole setup and configuration is based on installed monitors.
• TightVNC (fork of RealVNC)
  TightVNC is a GPL 2.0 platform which also provides remote desktop functionality. It is also better integrated into virtualization, e.g. for UI reasons.

Installation

Installing VNC is quickly completed. Please note that XFCE4 is used as desktop. If you want to utilized GNOME or other desktops, keep in mind that you also need to configure it later on.

// Update package repository
# sudo apt update
// Install XFCE 4 Desktop and TightVNC
# sudo apt install xfce4 xfce4-goodies tightvncserver
// Complete VNC installation
# vncserver
You will require a password to access your desktops.
Password:
Verify:
Would you like to enter a view-only password (y/n)? n
xauth:  file /home/ubuntu/.Xauthority does not exist
New 'X' desktop is Noctua:1
Creating default startup script /home/ubuntu/.vnc/xstartup
Starting applications specified in /home/ubuntu/.vnc/xstartup
Log file is /home/ubuntu/.vnc/Noctua:1.log

Configuration

Configuring administrative console such as remote desktop protocols require to put attention on several aspects. Keep especially the security part in mind when playing around with such installations, as people could take over your server while you will keep the responsibility:

• Application configuration
• Security

// Create sparate user for TightVNC
# sudo useradd -m vnc
# sudo passwd vnc
Enter new UNIX password: 
Retype new UNIX password:
passwd: password updated successfully
// Proceed as TightVNC user
# su vnc
// Verify installation and note log file location for event logging (security)
$ cd ~
$ vncserver
You will require a password to access your desktops.
Password:
Verify:
Would you like to enter a view-only password (y/n) ? n
xauth:  file /home/vnc/.Xauthority does not exist
New 'X' desktop is noctua.maas:1
Creating default startup script /home/vnc/.vnc/xstartup
Starting applications specified in /home/vnc/.vnc/xstartup
Log file is /home/vnc/.vnc/noctua.maas:1.log
// Shutdown TightVNC
$ vncserver -kill :1
Killing Xtightvnc process ID 24220
// Backup start-script
$ mv ~/.vnc/xstartup ~/.vnc/xstartup.bak
// Re-Configure start-script to boot desktop manager as background service
$ vim ~/.vnc/xstartup
#!/bin/bash
xrdb $home/.Xrsources
startxfce4 &
// Adjust execution rights (add execution rights)
$ chmod +x ~/.vnc/xstartup
// Verify configuration
$ vncserver
New 'X' desktop is noctua.maas:1
Starting applications specified in /home/vnc/.vnc/xstartup
Log file is /home/vnc/.vnc/noctua.maas:1.log

Access to the server should be granted by now. You can connect to the server via VNC Viewer for Google Chrome (Browser Plugin). Please note that the VNC server is not yet secured. Default port for TightVNC is 5900 – 6000. As you might have noticed our VNC monitor recieved id :1, this ID is used as port. Therefore our VNC monitor will be reachable via port 5901.

VNC Login

1. Open Google Chrome and start the VNC Plugin.
2. Connect to your VNC server, if you are running on a VM or external, ensure to set the correct hostname and port:
    
3. TightVNC will inform you about missing encryption. Encrypted connections are a premium feature.
    
4. TightVNC will request the configured password. The password is transmitted encrypted (DES challenge-response scheme having 8 characters and 56 bit):
   
5. You are connected to the host via GUI. For initial startup, you can select to take the default settings.
   

Limiting Server Access

As the protocol is without encryption and public available, any kind of security attack is easy on this protocol. You can work with system boundaries to accept this security circumstance; otherwise you should secure it.

// Shutdown TightVNC
$ vncserver -kill :1
Killing Xtightvnc process ID 24320
// Register TightVNC as system service
$ exit
# sudo vim /etc/systemd/system/vncserver@.service
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target
[Service]
Type=forking
User=vnc
PAMName=login
PIDFile=/home/vnc/.vnc/%h:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -localhost -geometry 1920x1080 :%i
ExeStop=/usr/bin/vncserver -kill :%i
[Install]
WantedBy=multi-user.target

Please note the following configuration:

• ExecStart -location
  Limits access to the session if accessed via localhost, which is the server itself. Therefore you cannot access the server outside the box. If external clients cannot connect to the server, e.g. by leveraging system boundaries, you can skip this parameter.
• ExecStart -geometry
  Defines the screen resolution of the virtual monitor. Standardized resolutions can be found on Wikipedia. You can also create custom settings.

// Reload system control utility
# sudo systemctl daemon-reload
// Verify installed system service
# sudo service vncserver@1 start
// Enable auto-start of TightVNC
# sudo systemctl enable vncserver@1.service

If you configured a localhost connection only, you must configure a SSH tunnel to the server and redirect the traffic to TightVNC. Otherwise you can simply connect to the UI from now on via VNC. Please note that you should also consider securing the connection and its protocol to avoid network sniffing attacks, as all data is still transmitted unencrypted.