You are not logged in.

#1 2007-06-14 15:10:06

calef13
Member
Registered: 2007-06-10
Posts: 142

xorg security

Hi,

I ran netstat recently and noticed that X server was listening on port 6000 on all interfaces, not just local loopback. I figured that the firewall was blocking it anyway but then noticed that iptables was not installed. Is there any reason why X should listen on all interfaces by default especially when there isn't a firewall installed if you only pick base packages (as recommended) at installation, or isn't that the case and I have done something I shouldn't have? Also is there any way I can force X to only listen on the lo interface?

Thanks,

Calef13

Offline

#2 2007-06-14 15:55:26

phildg
Member
Registered: 2006-03-10
Posts: 146

Re: xorg security

There's no point running X on only the loopback address only. X listens on the network so that you can run X applications on remote hosts.

You want to disable tcp communication altogether if you only run applications on the local host. This can be done by putting the following into /etc/X11/xinit/xserverrc:

exec X :0 -nolisten tcp

Offline

#3 2007-06-14 16:53:48

calef13
Member
Registered: 2007-06-10
Posts: 142

Re: xorg security

There was no xserverrc file so I created one and fired the line your gave me into it, I also added it to the xinitrc, but still no joy.

Calef13

Offline

#4 2007-06-14 17:07:18

[vEX]
Member
From: Sweden
Registered: 2006-11-23
Posts: 450

Re: xorg security

I'm not sure which file I put it, but I have my X not to listen to TCP, the only thing I can find is suggestions to edit /usr/bin/startx and add it to "defaultserverargs". But since I use GDM I have added it to some other file and I can't remember which one.


PC: Antec P182B | Asus P8Z77-V PRO | Intel i5 3570k | 16GB DDR3 | GeForce 450GTS | 4TB HDD | Pioneer BDR-207D | Asus Xonar DX | Altec Lansing CS21 | Eizo EV2736W-BK | Arch Linux x86_64
HTPC: Antec NSK2480 | ASUS M3A78-EM (AMD 780G) | AMD Athlon X3 425 | 8GB DDR2 | GeForce G210 | 2TB HDD | Arch Linux x86_64
Server: Raspberry Pi (model B) | 512MB RAM | 750GB HDD | Arch Linux ARM

Offline

#5 2007-06-14 17:29:40

hussam
Member
Registered: 2006-03-26
Posts: 572
Website

Re: xorg security

By default, gdm appends -nolisten tcp when it starts a X session.

Last edited by hussam (2007-06-14 17:29:57)

Offline

#6 2007-06-14 18:32:22

calef13
Member
Registered: 2007-06-10
Posts: 142

Re: xorg security

It's ok now anyway, I configured iptables to take care of it, and that means I can still use it to run X apps on remote machines if I ever need to, as phildg mentioned.

Thanks for all the replies anyway,

Calef13

Offline

#7 2007-06-14 22:36:49

phildg
Member
Registered: 2006-03-10
Posts: 146

Re: xorg security

Perhaps you should tell us how you're launching X. I launch it manually and what I suggested works on my system. If however your happy with using iptables to block it then nevermind.

Offline

#8 2007-06-17 02:24:02

slackhack
Member
Registered: 2004-06-30
Posts: 738

Re: xorg security

i don't have an /etc/X11/xinit/xserverrc file, either. what i do is add "-nolisten tcp" to the defaultserverargs= option in the /usr/bin/startx script itself. another way to do it is to make "startx --nolisten tcp" an alias for the startx command (edit: if you log in manually from the command line).


heh, ADD strikes again. lol

Last edited by slackhack (2007-06-17 02:39:50)

Offline

#9 2007-06-17 14:58:24

calef13
Member
Registered: 2007-06-10
Posts: 142

Re: xorg security

phildg,

I'm launching X automatically when I boot, from rc.conf I launch kdm and so on. I did boot it manually for a while though. Thanks for the tip about adding it to /usr/bin/startx slackhack, I'll give that a go.

Calef13

Offline

#10 2007-06-17 18:18:45

hungsonbk
Member
Registered: 2007-05-26
Posts: 105
Website

Re: xorg security

if you are using KDE, you can shutdown port 6000 by editing the /opt/kde/share/config/kdm/kdmrc file. Look at the entry ServerCmd and put this line in:

ServerCmd=/usr/bin/X -br -nolisten tcp

Cheers

Offline

Board footer

Powered by FluxBB