# Open X11 port

## doug-x07

Hi I just did a fresh install of gentoo on a box and ran a check to see what ports were open. I was surprised to see X11 open on port 6000. I had already stuck the line serverargs="-nolisten tcp" in /usr/X11R6/bin/startx which I thought stopped X listening for remote connections on that port. I'm starting x through kdm, are there any other configuration files that have an effect opening this port that I have overlooked? If anyone has any ideas of where I can look please give me a suggestion.

Thanx

----------

## doug-x07

Just wanted to add that I have already been through this article:

https://forums.gentoo.org/viewtopic.php?t=19497&highlight=x11+port

and nothing there that resolves the problem. I did the portscan using both netsat and nmap, 6000 up in both cases.

----------

## Rajesh

Assuming that you use GDM as your X display manager, edit the file /etc/X11/gdm/gdm.conf and look for a line such as:

```

command=/usr/X11R6/bin/X

```

and replace it with 

```

command=/usr/X11R6/bin/X -nolisten tcp

```

If you use another display manager (such as kdm), edit the appropriate conf file (I think it would be /etc/X11/kdm/kdm.conf) but I don't use KDM or KDE so I am not too sure about this.

After you make the above change, you will need to restart your display manager by logging out of X, going to a console prompt as root and doing

```

/etc/init.d/xdm stop

/etc/init.d/xdm start

 
```

After this, you should no longer see the 6000 port in your "netstat -tl" output.

----------

## doug-x07

Thanks Rajesh that's gdm secured and audited!! Anyone know where the kdm config files are or does it just use xdm files? For xdm it looks like the server is started in /etc/X11/xdm/Xservers. I really want to make sure all calls to /usr/X11R6/bin/X are made with -nolisten tcp.

----------

## Rajesh

Here's what you can do to find the relevant config file:

```

su

cd /etc/X11

grep -r -i "/usr/X11R6/bin/X" *

```

This will give you a list of all files where a reference is being made to X. You might find the one that says something like "command=/usr/X11R6/bin/X". 

Hope this helps you find the right file for KDM.

----------

## humpback

You can always be on the paranoid side like i am and configure the firewall to drop all connections coming to port 7000.

----------

## doug-x07

I sure am on the paranoid side like you when it comes to securing ports. I just wanted to shut them down immediately the time it takes me to come up with a decent firewall configuration. It's a shame that X does not install with the ports closed by default.  I wonder how many unsuspecting users are running boxes with this gaping security hole waiting to be exploited?

----------

## Ethernal

well, it's not a hole in that sence. you still have to do the xhost command to make someone able to actually connect to your X

----------

## humpback

nmap can tell you  :Smile:  Uppps did i just told you to do a internet scan on port 6000 ?

That is indeed a issue, but i suspect that for each user running x on a unprotected machine there are 1000 users runing IIS and SQL server, and today those are the targets for script kiddies and warez d00dz.

Also you should probaly spend some time configuring a firewall.

----------

## doug-x07

 *Quote:*   

> Uppps did i just told you to do a internet scan on port 6000 ? 
> 
> 

 

No 7000 but understood what you meant. I hope your not running nmap on localhost, it can be a bit unreliable if you do.  I'm getting round to the firewall config still reading the doc, but I still think its safer closing ports directly.  

 *Quote:*   

> you still have to do the xhost command to make someone able to actually connect to your X

 

Correct me if I'm wrong, but can't you just flood it with SYN/ACKS without running xhost?

----------

## ebichu

 *doug-x07 wrote:*   

> Thanks Rajesh that's gdm secured and audited!! Anyone know where the kdm config files are or does it just use xdm files? For xdm it looks like the server is started in /etc/X11/xdm/Xservers. I really want to make sure all calls to /usr/X11R6/bin/X are made with -nolisten tcp.

 

Is it worth checking that /usr/X11R6/lib/X11/xdm is symlinked to /etc/X11/xdm?

According to /usr/kde/3/share/config/kdm/README, kdm uses /usr/X11R6/lib/X11/xdm/Xservers, not /etc/X11/xdm/Xservers.

----------

