Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to secure X11 from exploit(s)?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
psi29a
n00b
n00b


Joined: 17 Apr 2002
Posts: 14

PostPosted: Mon May 06, 2002 5:14 pm    Post subject: How to secure X11 from exploit(s)? Reply with quote

In doing a nmap of my network, I noticed that port 6000/tcp is open to the public on Gentoo. I try to run it on the rest of the network and the SuSE boxen don't reveal the open port, only locally to themselves (not public).

What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?
_________________
Mindwerks
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Mon May 06, 2002 9:05 pm    Post subject: Re: How to secure X11 from exploit(s)? Reply with quote

psi29a wrote:
What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?


First, as an aside, if you're interested in X11 forwarding, you should look into doing that over SSH to make it more secure.

That said, to restrict access to just your local machine, you need to startx with the -nolisten TCP option. An easy way to do this is to create an alias in your bash profile:

Code:
alias startx='startx -- -nolisten tcp'


Note that if you use kdm, gdm or xdm, this won't work. however, you should be able to find the equivalent setup by searching google.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
psi29a
n00b
n00b


Joined: 17 Apr 2002
Posts: 14

PostPosted: Mon May 06, 2002 9:18 pm    Post subject: Thanks much. Reply with quote

I added the alias to the .bashrc (boots straight to prompt, no goofy gui login), so far so good. As for the X11 forwarding, thanks yet again. I was wondering if it would have been wise to wrap 6000/tcp into stunnel or another tcp wrapper, but gave up and decided to go another route with tightVNC (IMHO is very swank in light of resent events concerning the old VNC crew).

Take it easy man, and thanks again.
_________________
Mindwerks
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Mon May 06, 2002 9:46 pm    Post subject: Re: Thanks much. Reply with quote

psi29a wrote:
but gave up and decided to go another route with tightVNC


If you're just using VNC on your local network, it's a great solution. However, if you're doing it across the internet, it's got security holes galore. The password, while encrypted, is easily decryptable if it can be sniffed (the DES key used for encryption is in the source of VNC...one disadvantage of Open Source products)

Subsequent (non-password) traffic is sent in clear text and thus opens you up to snooping/man-in-the-middle attacks.

VNC works great -- it's just not a very secure protocol. If you're doing this across a public network, I'd look at SSH instead.

(and, for the record, I use tightVNC on my LAN to administer my headless servers. But I'm also behind a very paranoid firewall and IDS system)

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Nitro
Bodhisattva
Bodhisattva


Joined: 08 Apr 2002
Posts: 661
Location: San Francisco

PostPosted: Mon May 06, 2002 10:52 pm    Post subject: Re: How to secure X11 from exploit(s)? Reply with quote

klieber wrote:

Code:
alias startx='startx -- -nolisten tcp'


Another way to do this is to modify your startx script itself if that is what you are using. Open up: /usr/X11R6/bin/startx, and you will see a defaultserverargs variable scream at you to change. ;) This is more of a system-wide change then simply creating an alias for one user.

klieber wrote:
(and, for the record, I use tightVNC on my LAN to administer my headless servers. But I'm also behind a very paranoid firewall and IDS system)

Outta curiosity, why do you use a GUI at all on a server? One virtual desktop on my computer is usally dedicated to just SSH windows.
_________________
- Kyle Manna

Please, please SEARCH before posting.

There are three kinds of people in the world: those who can count, and those who can't.
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Mon May 06, 2002 11:01 pm    Post subject: Re: How to secure X11 from exploit(s)? Reply with quote

Nitro wrote:
Outta curiosity, why do you use a GUI at all on a server? One virtual desktop on my computer is usally dedicated to just SSH windows.


Because two of my servers are WinXP. I develop in Cold Fusion among other languages, so I need something that runs Cold Fusion server reliably. The linux port of CF is, last I checked, not ready for prime time. And, WinXP command line administration is, last I checked, not ready for prime time either. :)

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
psi29a
n00b
n00b


Joined: 17 Apr 2002
Posts: 14

PostPosted: Tue May 07, 2002 2:26 pm    Post subject: *nods* Reply with quote

The VNC is mostly for LAN admin of windows boxes at work, but I occasionally log into my user account at home to check PAN and various other GUI nitnacks that I normally can't install on the NT boxen here. As for our Unix boxen, no GUI... thus SSH is our way of life.

Klieber: Actually I've been running Coldfusion since 4.1 on my SuSE box. I'm currently on 5.0 now and its pretty good. I want to switch over to using PHP code for mundain things though, but I like CF. I had some friends stress test it (diffrent T1s hitting the box) and the only thing that choked was the page swapping, so I boosted the ram to 512Megs and everything went very smoothly.


http://www.mindwerks.net

&

http://www.mindwerks.net/~psi/

Those are my sites, both with a lil coldfusion and php functionality thrown in. I will be bringing the CF5.0 linux boxen live here at work, once I get it strapped with Gentoo (i'm now an official fan of Gentoo). I'm very pleased with the progress of the distro, and wish nothing but the best for the Gentoo the crew and its supporters. :)
_________________
Mindwerks
Back to top
View user's profile Send private message
Guest






PostPosted: Tue May 07, 2002 9:28 pm    Post subject: Re: How to secure X11 from exploit(s)? Reply with quote

psi29a wrote:
In doing a nmap of my network, I noticed that port 6000/tcp is open to the public on Gentoo. I try to run it on the rest of the network and the SuSE boxen don't reveal the open port, only locally to themselves (not public).

What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?


Correct me if I'm wrong, but isn't 0.0.0.0 short for "every host, anywhere"? Perhaps you meant 127.0.0.1?

Also, by default the X server doesn't accept connections from anyone, even from localhost. To play around with who can access your display you can use the "xhost" command once you start X.

Even though it says that port 6000 is open on the nmap scan, your server won't accept connections unless you explicitly allow it with "xhost +192.168.0.35" or whatever address you choose to put in there. You can remove a host from the list with a minus sign instead of a plus sign.

I'm pretty sure that's the way it works, but I could be wrong.[/code]
Back to top
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum