How Do I Prevent X From Exposing A TCP Port?

How Do I Prevent X From Exposing A TCP Port?
Prev	Chapter 8. Bringing Up X	Next

When you bring up X via the startx command, or via the xdm graphical login, TCP port 6000 (for display :0.0) will be visibly open to the outside world. This port is opened by X to allow you to project X windows from other systems onto your desktop.

The following shows what nmap will report when run against a NST probe which started X in the normal fashion (notice how nmap found port 6000):

[pkb@salsa ~]$ nmap 192.168.0.52

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-09-19 20:32 EST
Interesting ports on 192.168.0.52:
(The 1665 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
6000/tcp open  X11
MAC Address: 00:0D:88:9D:25:DC (D-Link)

Nmap finished: 1 IP address (1 host up) scanned in 3.297 seconds
[pkb@salsa ~]$

X should only accept connections on port 6000 from hosts which you explicitly specify using the xhost command. However, if you have no intention of projecting windows from other systems onto your desktop, your system will be more secure if X doesn't open the port to begin with. To prevent X from opening the port, use the -- -nolisten tcp option when you start X as shown below:

[root@probe ~]$ startx -- -nolisten tcp

X Window System Version 6.8.2
Release Date: 9 February 2005
X Protocol Version 11, Revision 0, Release 6.8.2
Build Operating System: Linux 2.6.9-1.906_ELsmp i686 [ELF] 
Current Operating System: Linux probe 2.6.12-1.1447_FC4 #1 Fri Aug 26 20:29:51 EDT 2005 i686
Build Date: 14 September 2005
Build Host: tweety.build.redhat.com
 
        Before reporting problems, check http://wiki.X.Org
        to make sure that you have the latest version.
Module Loader present
OS Kernel: Linux version 2.6.12-1.1447_FC4 (bhcompile@decompose.build.redhat.com) (gcc version 4.0.1 20050727 (Red Hat 4.0.1-5)) #1 Fri Aug 26 20:29:51 EDT 2005 P
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Mon Sep 19 20:37:38 2005
(==) Using config file: "/etc/X11/xorg.conf"

Logging to: /root/fluxbox.log
BScreen::BScreen: managing screen 0 using visual 0x23, depth 24
config_geom = 621x550
root_geom = 621x550+11+31, root_size = 1280x800

If you are using the graphical login manager (xdm), you will not be able to specify the -nolisten tcp option on the command line. Instead, you will need to add this option to the /etc/X11/xdm/Xservers config file. Note the -nolisten tcp in the sample configuration shown below:

#
# To disable ALL external TCP connections (a more secure X environment),
# append "-nolisten tcp"
#

:0 local /usr/local/bin/X -nolisten tcp

Note

If xdm has already been started, you will need to restart it before any modifications to its config file will take affect (try: init 3; init 5;).

Prev	Up	Next
How Do I Enable A Graphical Login?	Home	Chapter 9. Java Questions