[TriLUG] preventing X from opening port 6000?
geoff.purdy at verizon.net
Wed Mar 13 22:02:21 EST 2002
Mike and Jon,
Editing /etc/X11/xdm/Xservers to read:
:0 local /usr/X11R6/bin/X -nolisten tcp
did the trick. All ports show as closed in nmap now.
As a footnote, I made an error in my original post. 'startx -- -nolisten
tcp' is the proper command to start X11 from the command line without opening
port 6000. I omitted the first two dashed in the orignal.
On Wednesday 13 March 2002 11:02 am, you wrote:
> Geoff Purdy [geoff.purdy at verizon.net] wrote:
> > Two questions:
> > a) What is the level of risk of my system being compromised through port
> > 6000 while running the X11 service?
> Well, it's one more possible way in. If you're fully updated, you're
> probably okay for now. However, that's not to say there's nothing coming
> down the pipe (or not widely known). And, well, to you -really- need
> X listening there? No.
> However, one could probably DoS X without much work.
> > b) I believe that if I boot into runlevel 3, I can run 'startx -nolisten
> > tcp' to prevent X from opening port 6000. How can I configure the system
> > to use the '-nolisten tcp' option when booting directly into X (runlevel
> > 5).
> Edit /etc/X11/xdm/Xservers and add your -nolisten tcp to the line there.
> So, it should (probably - I'm not gonna exit X right now and try it)
> :0 local /usr/X11R6/bin/X -nolisten tcp
More information about the TriLUG