You are not logged in.
I have my arch laptop at home connected to a cable modem. I have set iptables. hosts.deny gets all.
$ nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-29 14:02 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1678 closed ports
PORT STATE SERVICE
631/tcp open ipp
6000/tcp open X11
do I need these ports opened?
more:
# netstat -lptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:6000 *:* LISTEN 2394/X
tcp 0 0 zark.localdomain:631 *:* LISTEN 2290/cupsd
tcp 0 0 *:6000 *:* LISTEN 2394/X
udp 0 0 *:bootpc *:* 2229/dhcpcd
udp 0 0 *:631 *:* 2290/cupsd
Should cups deamon be listening in 631? Suggestions are welcome.
Cheers!
Offline
tcp 0 0 zark.localdomain:631
Cupsd is listening for connections only from zark.localdomain, which I guess is the local machine, so it should be safe.
tcp 0 0 *:6000
You can start the X server with option '-nolisten tcp' to close this port. Look for Xserver arguments or similar in your display manager settings.
Offline
Added the -nolisten tcp option to the startx line in my .bashrc. This seemed best solution to me as I login in console and then start ion from there.
Port is closed now.
Thanx sh_
Offline
Defaulting port 6000 open by startx is not good for security. I would recommend adding the no-listen switch in /usr/bin/startx defaultserverargs= variable to turn it off by default for all users.
Offline
Defaulting port 6000 open by startx is not good for security. I would recommend adding the no-listen switch in /usr/bin/startx defaultserverargs= variable to turn it off by default for all users.
Heavy on my Xdmcp setup where I run a full KDE session on a remote machine. That would so break it. I would rather suggest having it include /etc/conf.d/xorg and offer some alternaive configurations there that then get included into startx.
I recognize that while theory and practice are, in theory, the same, they are, in practice, different. -Mark Mitchell
Offline
tyler@tungsten ~ $ cat .xserverrc
#!/bin/bash
startx_pid=$(pgrep startx)
authfile=${HOME}/.serverauth.${startx_pid}
exec X :0 -br -auth $authfile -deferglyphs 16
:?:
Offline
alex@zark~#cat .xserverrc
#!/bin/bash
startx_pid=$(pgrep startx)
authfile=${HOME}/.serverauth.${startx_pid}
exec X :0 -br -auth $authfile -deferglyphs 16
it worked just fine. if i'm not mistaken it's a .xserverrc script like this for every account, right?
Offline
What I'm suggesting is to add --no-listen tcp to /usr/bin/startx to close off socket 6000 by default for all users. The way it stands now that port is open by default. For those users needing it open for whatever reason the .xserverrc I provided should be used to open it up.
Close by default and open it up manually if need be.
Offline
got it.
thanx T-Dawg.
Offline
tyler@tungsten ~ $ cat .xserverrc #!/bin/bash startx_pid=$(pgrep startx) authfile=${HOME}/.serverauth.${startx_pid} exec X :0 -br -auth $authfile -deferglyphs 16
just noticed I over looked something.
trap rm -f $authfile
Is needed below the interpreter header to remove the left over file once you exit out of X. Otherwise you'll get ten thousands severauth files lying around in home.
Offline
mmmm...
After the last upgrade I was having that problem then found this:
http://www.shallowsky.com/blog/linux/serverauth.html
it worked for me.
Offline