# How to secure X11 from exploit(s)?

## psi29a

In doing a nmap of my network, I noticed that port 6000/tcp is open to the public on Gentoo.  I try to run it on the rest of the network and the SuSE boxen don't reveal the open port, only locally to themselves (not public).

What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?

----------

## klieber

 *psi29a wrote:*   

> What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?

 

First, as an aside, if you're interested in X11 forwarding, you should look into doing that over SSH to make it more secure.

That said, to restrict access to just your local machine, you need to startx with the -nolisten TCP option.  An easy way to do this is to create an alias in your bash profile:

```
alias startx='startx -- -nolisten tcp' 
```

Note that if you use kdm, gdm or xdm, this won't work.  however, you should be able to find the equivalent setup by searching google.

--kurt

----------

## psi29a

I added the alias to the .bashrc (boots straight to prompt, no goofy gui login), so far so good.  As for the X11 forwarding, thanks yet again.  I was wondering if it would have been wise to wrap 6000/tcp into stunnel or another tcp wrapper, but gave up and decided to go another route with tightVNC (IMHO is very swank in light of resent events concerning the old VNC crew).

Take it easy man, and thanks again.

----------

## klieber

 *psi29a wrote:*   

> but gave up and decided to go another route with tightVNC

 

If you're just using VNC on your local network, it's a great solution.  However, if you're doing it across the internet, it's got security holes galore.  The password, while encrypted, is easily decryptable if it can be sniffed (the DES key used for encryption is in the source of VNC...one disadvantage of Open Source products)    

Subsequent (non-password) traffic is sent in clear text and thus opens you up to snooping/man-in-the-middle attacks.

VNC works great -- it's just not a very secure protocol.  If you're doing this across a public network, I'd look at SSH instead. 

(and, for the record, I use tightVNC on my LAN to administer my headless servers.  But I'm also behind a very paranoid firewall and IDS system)

--kurt

----------

## Nitro

 *klieber wrote:*   

> 
> 
> ```
> alias startx='startx -- -nolisten tcp' 
> ```
> ...

 

Another way to do this is to modify your startx script itself if that is what you are using.  Open up: /usr/X11R6/bin/startx, and you will see a defaultserverargs variable scream at you to change.   :Wink:   This is more of a system-wide change then simply creating an alias for one user.

 *klieber wrote:*   

> (and, for the record, I use tightVNC on my LAN to administer my headless servers. But I'm also behind a very paranoid firewall and IDS system) 

 

Outta curiosity, why do you use a GUI at all on a server?  One virtual desktop on my computer is usally dedicated to just SSH windows.

----------

## klieber

 *Nitro wrote:*   

> Outta curiosity, why do you use a GUI at all on a server?  One virtual desktop on my computer is usally dedicated to just SSH windows.

 

Because two of my servers are WinXP.  I develop in Cold Fusion among other languages, so I need something that runs Cold Fusion server reliably.  The linux port of CF is, last I checked, not ready for prime time.  And, WinXP command line administration is, last I checked, not ready for prime time either.  :Smile: 

--kurt

----------

## psi29a

The VNC is mostly for LAN admin of windows boxes at work, but I occasionally log into my user account at home to check PAN and various other GUI nitnacks that I normally can't install on the NT boxen here.  As for our Unix boxen, no GUI... thus SSH is our way of life.  

Klieber:  Actually I've been running Coldfusion since 4.1 on my SuSE box.  I'm currently on 5.0 now and its pretty good.  I want to switch over to using PHP code for mundain things though, but I like CF.  I had some friends stress test it (diffrent T1s hitting the box) and the only thing that choked was the page swapping, so I boosted the ram to 512Megs and everything went very smoothly.

http://www.mindwerks.net

&

http://www.mindwerks.net/~psi/

Those are my sites, both with a lil coldfusion and php functionality thrown in.  I will be bringing the CF5.0 linux boxen live here at work, once I get it strapped with Gentoo (i'm now an official fan of Gentoo).  I'm very pleased with the progress of the distro, and wish nothing but the best for the Gentoo the crew and its supporters.  :Smile: 

----------

## Guest

 *psi29a wrote:*   

> In doing a nmap of my network, I noticed that port 6000/tcp is open to the public on Gentoo.  I try to run it on the rest of the network and the SuSE boxen don't reveal the open port, only locally to themselves (not public).
> 
> What would I need to do to make X11 open 6000/tcp only to itself ( 0.0.0.0 ) and not the rest of the world?

 

Correct me if I'm wrong, but isn't 0.0.0.0 short for "every host, anywhere"? Perhaps you meant 127.0.0.1?

Also, by default the X server doesn't accept connections from anyone, even from localhost.  To play around with who can access your display you can use the "xhost" command once you start X. 

Even though it says that port 6000 is open on the nmap scan, your server won't accept connections unless you explicitly allow it with "xhost +192.168.0.35"  or whatever address you choose to put in there.  You can remove a host from the list with a minus sign instead of a plus sign.

I'm pretty sure that's the way it works, but I could be wrong.[/code]

----------

