View previous topic :: View next topic |
Author |
Message |
Loke Apprentice
Joined: 25 May 2002 Posts: 274 Location: Norway
|
Posted: Wed Oct 23, 2002 12:49 am Post subject: Unable to disable X listening for tcp connections |
|
|
Ok,
Ive got two gentoo setups, fairly equal, but 1 uses kde-3.0.4 and the other kde3.1beta2 and both run XFree 4.2.1. Ive successfully disabled listening for tcp connections on the kde-3.0.4 box, but following the exact same procedure for the kde-3.1beta2 box doesnt work:
Code: |
cat /etc/X11/xdm/Xservers
:0 local /usr/X11R6/bin/X -nolisten tcp
|
And
Code: |
cat /usr/X11R6/bin/startx
userclientrc=$HOME/.xinitrc
userserverrc=$HOME/.xserverrc
sysclientrc=/usr/X11R6/lib/X11/xinit/xinitrc
sysserverrc=/usr/X11R6/lib/X11/xinit/xserverrc
defaultclient=/usr/X11R6/bin/xterm
defaultserver=/usr/X11R6/bin/X
defaultclientargs=""
defaultserverargs="-nolisten tcp"
clientargs=""
serverargs=""
|
I use kdm as my login manager, and the code above should account for both starting X from startx and from an init script. In my /etc/rc.conf I have:
Code: |
cat /etc/rc.conf
DISPLAYXSESSION=kdm
XSESSION=fluxbox
|
I chose fluxbox, because I want the startx command to start fluxbox, while I want KDE as a normal login through kdm. But after doing this, I portscan localhost:
Code: |
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
|
And as you can see, X is still listening for incomming tcp connections... Hmmm. Ive verified over and over that the scripts on this box and the other one is exactly the same. But on this box X still listens for tcp connections.
Any suggestions? |
|
Back to top |
|
|
mglauche Retired Dev
Joined: 25 Apr 2002 Posts: 564 Location: Germany
|
Posted: Wed Oct 23, 2002 7:41 am Post subject: |
|
|
I think scanning localhost is uninteresting. you should check it from another machine in the same network. disabling localhost network is usually a bad idea |
|
Back to top |
|
|
Loke Apprentice
Joined: 25 May 2002 Posts: 274 Location: Norway
|
Posted: Thu Oct 24, 2002 12:25 am Post subject: |
|
|
Same thing happens if I scan it from another host. I know nmap can produce strange results when scanning localhost, but in this case the X server is really listening for incomming tcp connections despite the fact that ive tried to disable it. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Thu Oct 24, 2002 1:21 am Post subject: |
|
|
If you add the settings to serverargs, does that make a difference? _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
synonymousca n00b
Joined: 15 Jun 2002 Posts: 62
|
Posted: Thu Oct 24, 2002 4:12 am Post subject: |
|
|
Wouldn't
Code: | netstat -a --inet -n -p | grep LISTEN |
Be a lot easier than running netstat against yourself?
(Note that the -p option isn't all that useful re: system services when you're not doing it as root.) |
|
Back to top |
|
|
Xor Tux's lil' helper
Joined: 07 Jul 2002 Posts: 144
|
Posted: Thu Oct 24, 2002 11:35 am Post subject: |
|
|
I agree, to see what's on your system use netstat.. not nmap.. I myself would suggest to use (for tcp)
Code: | netstat -t -n -p -l |
which also catches ipv6... as I have heard there going to be ipv6 in X11... and according to hearsay:
-nolisten tcp = listen on ipv6
-nolisten tcp6= listen on ipv4
but you can't disable it at all.... (if you have an ipv6 enabled X-Server) |
|
Back to top |
|
|
mglauche Retired Dev
Joined: 25 Apr 2002 Posts: 564 Location: Germany
|
Posted: Thu Oct 24, 2002 11:37 am Post subject: |
|
|
how about just putting a iptables rule in place ?
like iptables -I INPUT -p tcp --dport 6000 -j DROP |
|
Back to top |
|
|
Xor Tux's lil' helper
Joined: 07 Jul 2002 Posts: 144
|
Posted: Thu Oct 24, 2002 12:01 pm Post subject: |
|
|
well that answer matches perfectly to your avatar.... |
|
Back to top |
|
|
kormoc Apprentice
Joined: 17 Jun 2002 Posts: 250
|
Posted: Thu Oct 24, 2002 4:19 pm Post subject: |
|
|
Deleted
Last edited by kormoc on Mon Dec 24, 2018 9:19 am; edited 1 time in total |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sun Oct 27, 2002 5:00 am Post subject: |
|
|
This post might help. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Loke Apprentice
Joined: 25 May 2002 Posts: 274 Location: Norway
|
Posted: Sun Oct 27, 2002 4:46 pm Post subject: |
|
|
Thanks for every answer so far. As for using netstat, I dont see how that will prove an nmap of localhost provides false readings - since I can portscan from a remote host and still see kdm listening for tcp connections. And as for configuring XFS with -nolisten tcp, which is also a good tip, although I dont use XFS
The last suggestion, about disabling network transparency might just be what Im looking for so thumbs up for that one Because I do indeed have network transparency enabled on that box, and not the other - so I'll definetely try that!
Cheers all! |
|
Back to top |
|
|
|