You are not logged in.

Pages: 1

#1 2006-11-29 14:25:37

Alexo
Member
From: near a cup of coffee
Registered: 2005-06-27
Posts: 90

doubt regarding localhost ports

I have my arch laptop at home connected to a cable modem. I have set iptables. hosts.deny gets all.

$ nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-11-29 14:02 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1678 closed ports
PORT     STATE SERVICE
631/tcp  open  ipp
6000/tcp open  X11

do I need these ports opened?
more:

#  netstat -lptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:6000                  *:*                     LISTEN      2394/X              
tcp        0      0 zark.localdomain:631    *:*                     LISTEN      2290/cupsd          
tcp        0      0 *:6000                  *:*                     LISTEN      2394/X              
udp        0      0 *:bootpc                *:*                                 2229/dhcpcd         
udp        0      0 *:631                   *:*                                 2290/cupsd

         

Should cups deamon be listening in 631? Suggestions are welcome.
Cheers!

Offline

#2 2006-11-29 16:32:04

sh__
Member
Registered: 2005-07-19
Posts: 272

Re: doubt regarding localhost ports

tcp        0      0 zark.localdomain:631

Cupsd is listening for connections only from zark.localdomain, which I guess is the local machine, so it should be safe.

tcp        0      0 *:6000

You can start the X server with option '-nolisten tcp' to close this port. Look for Xserver arguments or similar in your display manager settings.

Offline

#3 2006-11-29 17:14:58

Alexo
Member
From: near a cup of coffee
Registered: 2005-06-27
Posts: 90

Re: doubt regarding localhost ports

Added  the -nolisten tcp option to the startx line in my .bashrc. This seemed best solution to me as I login in console and then start ion from there.
Port is closed now.
Thanx sh_

Offline

#4 2006-11-29 17:17:28

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: doubt regarding localhost ports

Defaulting port 6000 open by startx is not good for security. I would recommend adding the no-listen switch in /usr/bin/startx defaultserverargs= variable to turn it off by default for all users.

Offline

#5 2006-11-30 08:32:04

kth5
Member
Registered: 2004-04-29
Posts: 657
Website

Re: doubt regarding localhost ports

T-Dawg wrote:

Defaulting port 6000 open by startx is not good for security. I would recommend adding the no-listen switch in /usr/bin/startx defaultserverargs= variable to turn it off by default for all users.

Heavy on my Xdmcp setup where I run a full KDE session on a remote machine. That would so break it. smile I would rather suggest having it include /etc/conf.d/xorg and offer some alternaive configurations there that then get included into startx.

I recognize that while theory and practice are, in theory, the same, they are, in practice, different. -Mark Mitchell

Offline

#6 2006-11-30 09:56:13

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: doubt regarding localhost ports

tyler@tungsten ~ $ cat .xserverrc 
#!/bin/bash
startx_pid=$(pgrep startx)
authfile=${HOME}/.serverauth.${startx_pid}
exec X :0 -br -auth $authfile -deferglyphs 16

:?:

Offline

#7 2006-11-30 14:17:22

Alexo
Member
From: near a cup of coffee
Registered: 2005-06-27
Posts: 90

Re: doubt regarding localhost ports

alex@zark~#cat .xserverrc 
#!/bin/bash 
startx_pid=$(pgrep startx) 
authfile=${HOME}/.serverauth.${startx_pid} 
exec X :0 -br -auth $authfile -deferglyphs 16

it worked just fine. if i'm not mistaken it's a .xserverrc script like this for every account, right?

Offline

#8 2006-11-30 14:59:05

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: doubt regarding localhost ports

What I'm suggesting is to add --no-listen tcp to /usr/bin/startx to close off socket 6000 by default for all users. The way it stands now that port is open by default. For those users needing it open for whatever reason the .xserverrc I provided should be used to open it up.
Close by default and open it up manually if need be.

Offline

#9 2006-11-30 15:30:52

Alexo
Member
From: near a cup of coffee
Registered: 2005-06-27
Posts: 90

Re: doubt regarding localhost ports

got it.
thanx T-Dawg.

Offline

#10 2006-12-06 12:19:24

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: doubt regarding localhost ports

T-Dawg wrote:
tyler@tungsten ~ $ cat .xserverrc 
#!/bin/bash
startx_pid=$(pgrep startx)
authfile=${HOME}/.serverauth.${startx_pid}
exec X :0 -br -auth $authfile -deferglyphs 16

just noticed I over looked something. 

trap rm -f $authfile

Is needed below the interpreter header to remove the left over file once you exit out of X. Otherwise you'll get ten thousands severauth files lying around in home.

Offline

#11 2006-12-07 00:40:22

Alexo
Member
From: near a cup of coffee
Registered: 2005-06-27
Posts: 90

Re: doubt regarding localhost ports

mmmm...
After the last upgrade I was having that problem then found this:
http://www.shallowsky.com/blog/linux/serverauth.html
it worked for me.

Offline

Pages: 1

Board footer

Powered by FluxBB