A Complete Guide for IT and Hosting Professionals
A VNC port is the TCP network port used by the Virtual Network Computing (VNC) protocol to establish a remote desktop session between a client and a server. Understanding how VNC ports work — including default assignments, configuration options, and security implications — is essential for system administrators, cloud architects, and managed hosting clients, especially in modern VPS Hosting environments.
This guide explains how the VNC port works, outlines standard port assignments, covers real-world use cases across industries, and details the security controls required for safe deployment in VPS Hosting scenarios.
What Is a VNC Port?
Each VNC server instance listens on a specific port, and the client must connect to that exact port to initiate a session. This is especially relevant when you Access your VPS via VNC in Virtualizor, where each virtual machine is mapped to its own display and corresponding port.
Default VNC Port Mapping
- Display :0 → TCP 5900
- Display :1 → TCP 5901
- Display :2 → TCP 5902
- Legacy web access → TCP 5800
Formula:
VNC port = 5900 + display number
Note: Only port 5900 is officially registered for RFB; other ports follow convention rather than formal assignment.
Reference:
https://www.rfc-editor.org/rfc/rfc6143.html
How the VNC Port Works (Protocol Level)
When a client connects to a VNC port:
- A TCP connection is established (SYN → SYN-ACK → ACK)
- The RFB protocol negotiates:
- Version compatibility
- Authentication method
- The session begins:
- Screen updates (framebuffer)
- Keyboard/mouse input
- Clipboard sync
The connection remains persistent over that single TCP port.
Default vs Custom VNC Ports
While default ports are widely used, exposing them publicly is risky.
Best practice:
- Do not expose VNC directly to the internet
- Use:
- SSH tunneling
- VPN access
- TLS encryption
- IP allowlisting
Changing the port (e.g., 15900 instead of 5900) may reduce automated scan noise, but it does not provide real security. It is only a minor obfuscation measure.
VNC Port vs RDP Port
| Protocol | Default Port | Platform |
| VNC (RFB) | 5900+ | Cross-platform |
| RDP | 3389 | Windows |
Reference:
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/
VNC is platform-independent, while RDP is Microsoft-specific.
VNC Port Reference Table
| Port | Display | Use Case | Security Recommendation |
| 5900 | :0 | Primary session | Restrict + tunnel |
| 5901 | :1 | Secondary session | VPN or localhost binding |
| 5902–5910 | :2–:10 | Multi-user environments | VLAN segmentation |
| 5800 | Web (legacy) | Browser access | Disable unless required |
| Custom (e.g. 15900) | Any | Hardened deployments | Use with VPN/TLS |
VNC Port Use Cases by Industry
iGaming
Used for real-time server maintenance and emergency interventions.
Regulated environments require documented access controls.
Fintech
Supports remote management of payment systems and trading platforms.
Security must align with PCI DSS encryption and access control requirements.
SaaS & Cloud
Used for:
- OS-level debugging
- VM recovery
- Backup access when SSH fails
Healthcare
Supports remote access to:
- PACS systems
- Imaging workstations
Encryption and logging are required under HIPAA.
Hosting & Data Centres
Provides out-of-band access when:
- Network fails
- Firewall misconfigurations occur
- OS crashes
Securing the VNC Port (Best Practices)
Important:
The RFB protocol itself does not guarantee encryption.
Reference:
https://www.rfc-editor.org/rfc/rfc6143.html
SSH Tunnelling
- Bind VNC to localhost (127.0.0.1)
- Access via SSH tunnel
Strong encryption
Industry standard for Linux environments
VPN Access
Restrict VNC to internal networks via:
- WireGuard
- OpenVPN
Meets segmentation requirements
Reduces exposure surface
Firewall & IP Whitelisting
- Default-deny policy
- Allow only trusted IPs
Example tools:
- iptables / nftables
- Cloud security groups
TLS Encryption
Modern VNC implementations (e.g. RealVNC, TigerVNC) support encryption.
Reference:
https://help.realvnc.com/hc/en-us/articles/360002251297
Note:
Encryption availability depends on the implementation — not all VNC servers support it by default.
Multi-Factor Authentication (MFA)
Not native to all VNC servers.
Often implemented via:
- VPN MFA
- SSH MFA
- PAM integration
Non-Default Ports
Reduces automated scan noise
Not a primary security control
Compliance Considerations
Using VNC securely can support compliance frameworks, but does not guarantee compliance by itself.
Frameworks include:
- PCI DSS
- ISO 27001
- HIPAA
- GDPR
Requirements typically include:
- Encryption in transit
- Access control
- Logging and audit trails
Frequently Asked Questions
TCP 5900 for display :0, incrementing per display.
No — basic RFB is not encrypted.
Encryption must be added via:
SSH
VPN
TLS-enabled VNC server
Yes. Each uses its own display and port:
:0 → 5900
:1 → 5901
:2 → 5902
No.
Always use:
VPN or SSH tunnel
Firewall restrictions
Legacy Java-based access — deprecated and should usually be disabled.
Conclusion
The VNC port is a core component of remote server administration across industries.
Key takeaways:
- Default port = 5900 + display
- RFB is not secure by default
- Never expose VNC directly to the internet
- Use VPN, SSH, TLS, and strict firewall rules
- Custom ports help reduce noise but do not replace real security
When properly secured, VNC provides a reliable and flexible remote access solution that can support — but not alone guarantee — compliance with modern security frameworks.
