| View previous topic :: View next topic |
| Author |
Message |
Loke
Apprentice
Joined: 25 May 2002
Posts: 274
Location: Norway
|
 Posted: Wed Oct 23, 2002 12:49 am Post subject: Unable to disable X listening for tcp connections |
 |
|
Ok,
Ive got two gentoo setups, fairly equal, but 1 uses kde-3.0.4 and the other kde3.1beta2 and both run XFree 4.2.1. Ive successfully disabled listening for tcp connections on the kde-3.0.4 box, but following the exact same procedure for the kde-3.1beta2 box doesnt work:
| Code: |
cat /etc/X11/xdm/Xservers
:0 local /usr/X11R6/bin/X -nolisten tcp
|
And
| Code: |
cat /usr/X11R6/bin/startx
userclientrc=$HOME/.xinitrc
userserverrc=$HOME/.xserverrc
sysclientrc=/usr/X11R6/lib/X11/xinit/xinitrc
sysserverrc=/usr/X11R6/lib/X11/xinit/xserverrc
defaultclient=/usr/X11R6/bin/xterm
defaultserver=/usr/X11R6/bin/X
defaultclientargs=""
defaultserverargs="-nolisten tcp"
clientargs=""
serverargs=""
|
I use kdm as my login manager, and the code above should account for both starting X from startx and from an init script. In my /etc/rc.conf I have:
| Code: |
cat /etc/rc.conf
DISPLAYXSESSION=kdm
XSESSION=fluxbox
|
I chose fluxbox, because I want the startx command to start fluxbox, while I want KDE as a normal login through kdm. But after doing this, I portscan localhost:
| Code: |
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1598 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
|
And as you can see, X is still listening for incomming tcp connections... Hmmm. Ive verified over and over that the scripts on this box and the other one is exactly the same. But on this box X still listens for tcp connections.
Any suggestions? |
|
| Back to top |
|
 |
mglauche
Retired Dev
Joined: 25 Apr 2002
Posts: 564
Location: Germany
|
| Posted: Wed Oct 23, 2002 7:41 am Post subject: |
|
|
I think scanning localhost is uninteresting. you should check it from another machine in the same network. disabling localhost network is usually a bad idea  |
|
| Back to top |
|
|
Loke
Apprentice
Joined: 25 May 2002
Posts: 274
Location: Norway
|
| Posted: Thu Oct 24, 2002 12:25 am Post subject: |
|
|
| Same thing happens if I scan it from another host. I know nmap can produce strange results when scanning localhost, but in this case the X server is really listening for incomming tcp connections despite the fact that ive tried to disable it. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Thu Oct 24, 2002 1:21 am Post subject: |
|
|
If you add the settings to serverargs, does that make a difference?
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
synonymousca
n00b
Joined: 15 Jun 2002
Posts: 62
|
| Posted: Thu Oct 24, 2002 4:12 am Post subject: |
|
|
Wouldn't
| Code: | | netstat -a --inet -n -p | grep LISTEN |
Be a lot easier than running netstat against yourself?
(Note that the -p option isn't all that useful re: system services when you're not doing it as root.) |
|
| Back to top |
|
|
Xor
Tux's lil' helper
Joined: 07 Jul 2002
Posts: 144
|
| Posted: Thu Oct 24, 2002 11:35 am Post subject: |
|
|
I agree, to see what's on your system use netstat.. not nmap.. I myself would suggest to use (for tcp)
| Code: | | netstat -t -n -p -l |
which also catches ipv6... as I have heard there going to be ipv6 in X11... and according to hearsay:
-nolisten tcp = listen on ipv6
-nolisten tcp6= listen on ipv4
but you can't disable it at all.... (if you have an ipv6 enabled X-Server) |
|
| Back to top |
|
|
mglauche
Retired Dev
Joined: 25 Apr 2002
Posts: 564
Location: Germany
|
| Posted: Thu Oct 24, 2002 11:37 am Post subject: |
|
|
how about just putting a iptables rule in place ?
like iptables -I INPUT -p tcp --dport 6000 -j DROP |
|
| Back to top |
|
|
Xor
Tux's lil' helper
Joined: 07 Jul 2002
Posts: 144
|
| Posted: Thu Oct 24, 2002 12:01 pm Post subject: |
|
|
| well that answer matches perfectly to your avatar.... |
|
| Back to top |
|
|
kormoc
Apprentice
Joined: 17 Jun 2002
Posts: 250
|
| Posted: Thu Oct 24, 2002 4:19 pm Post subject: |
|
|
Deleted
Last edited by kormoc on Mon Dec 24, 2018 9:19 am; edited 1 time in total |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Sun Oct 27, 2002 5:00 am Post subject: |
|
|
This post might help.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Loke
Apprentice
Joined: 25 May 2002
Posts: 274
Location: Norway
|
| Posted: Sun Oct 27, 2002 4:46 pm Post subject: |
|
|
Thanks for every answer so far. As for using netstat, I dont see how that will prove an nmap of localhost provides false readings - since I can portscan from a remote host and still see kdm listening for tcp connections. And as for configuring XFS with -nolisten tcp, which is also a good tip, although I dont use XFS 
The last suggestion, about disabling network transparency might just be what Im looking for so thumbs up for that one Because I do indeed have network transparency enabled on that box, and not the other - so I'll definetely try that!
Cheers all! |
|
| Back to top |
|
|
|
Networking & Security
