how do i close the port 6000 ? i had try editing the /etc/X11/xdm/Xservers, and /opt/kde3/share/config/kdm/ Xservers, and add the "-nolisten tcp" switch but nothing happens... is there another configuration file to close this port ? Thanks
I'm a bit stumped by this too. I think the place to start is the files in
/opt/kde3/share/config/kdm.
Looking there I see another Xservers file. Unfortunately changing this
doesn't seem to work either. The README suggests changing the files in
/etc/X11/xdm and then running a program called
<kdebase-sources>/kdm/kfrontend/genkdmconf that I can't find. Possibly a
source package needs installing.
Anyway it's definitely a kdm issue because I've tried running X on it's own
(with kdm stopped) using the -nolisten tcp parameter and it doesn't open a
tcp socket - which is what you want.
I've had problems with kdm config before. Another suggestion (that I can't
try from here at the moment) is to look carefully through the YaST2
configuration for kdm for command line parameters to X. That's probably the
"supported" route and bypasses all this wierdness where it's kinda ignoring
the Xservers file.
Tell us if you find the answer, I'd be interested!
Another way out of this, possibly...
You have presumably seen that a Linux box is "listening" for TCP connections
on port 6000 by using the command
netstat -tlnp or something like that right?
That just shows that the linux box will listen indiscriminately for
connections in the absence of a firewall. If you have a firewall in place
on that box (or even better between that box and the internet, on a
dedicated router/gateway/firewall box) then the port will not be "open" to
the internet anyway. All firewalls will block port 6000 as the standard
X-Windows protocol is notoriously insecure.
Regards,
Carl
----- Original Message -----
From: "david"
how do i close the port 6000 ? i had try editing the /etc/X11/xdm/Xservers, and /opt/kde3/share/config/kdm/ Xservers, and add the "-nolisten tcp" switch but nothing happens...
is there another configuration file to close this port ?
Thanks
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
david wrote:
is there another configuration file to close this port ?
/etc/opt/kde3/share/config/kdm
This may/should be a link (or /opt/... should be)
With yast you can configure there is no remote access to X. If you want to have ports not closed but in steath mode you will have to patch iptables with the grsecurity iptables-patch (you will need kernel sources as well). This patch implements steathmode for filtering (afaik this will even not work with ack-packets scans). Philippe
I dont want to filter the port, I want to close it i dont understand why i easly can close port 6000 on slackware and mandrake but suse just cant On Tuesday 20 January 2004 9:03 am, Philippe Vogel wrote:
david wrote:
is there another configuration file to close this port ?
/etc/opt/kde3/share/config/kdm
This may/should be a link (or /opt/... should be)
With yast you can configure there is no remote access to X.
If you want to have ports not closed but in steath mode you will have to patch iptables with the grsecurity iptables-patch (you will need kernel sources as well). This patch implements steathmode for filtering (afaik this will even not work with ack-packets scans).
Philippe
Hi David, You have to edit /etc/opt/kde3/share/config/kdm/Xservers :0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp ps: In suse box 8.2 __|__ By Lindomar, o---*--(*)--*---o http://wecanstopspam.org On Tue, 20 Jan 2004, david wrote:
I dont want to filter the port, I want to close it i dont understand why i easly can close port 6000 on slackware and mandrake but suse just cant
On Tuesday 20 January 2004 9:03 am, Philippe Vogel wrote:
david wrote:
is there another configuration file to close this port ?
/etc/opt/kde3/share/config/kdm
This may/should be a link (or /opt/... should be)
With yast you can configure there is no remote access to X.
If you want to have ports not closed but in steath mode you will have to patch iptables with the grsecurity iptables-patch (you will need kernel sources as well). This patch implements steathmode for filtering (afaik this will even not work with ack-packets scans).
Philippe
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I've had problems with this too. My workaround what I use now is instead of starting Xwindows with startx from the console, I use the following script. On Tue, 20 Jan 2004, Lindomar Santos wrote:
To: david
From: Lindomar Santos Subject: Re: [suse-security] closing port 6000 Hi David,
You have to edit /etc/opt/kde3/share/config/kdm/Xservers
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
ps: In suse box 8.2
__|__ By Lindomar, o---*--(*)--*---o http://wecanstopspam.org
On Tue, 20 Jan 2004, david wrote:
I dont want to filter the port, I want to close it i dont understand why i easly can close port 6000 on slackware and mandrake but suse just cant
On Tuesday 20 January 2004 9:03 am, Philippe Vogel wrote:
david wrote:
is there another configuration file to close this port ?
/etc/opt/kde3/share/config/kdm
This may/should be a link (or /opt/... should be)
With yast you can configure there is no remote access to X.
If you want to have ports not closed but in steath mode you will have to patch iptables with the grsecurity iptables-patch (you will need kernel sources as well). This patch implements steathmode for filtering (afaik this will even not work with ack-packets scans).
Philippe
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
You have to edit /etc/opt/kde3/share/config/kdm/Xservers :0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp Thanks. This works for me. For some reason I never thought of looking under /etc, and as others have noted, changing this in /opt/kde3/share/config/kdm/Xservers doesn't really do anything.
Now, if I can find out (or you folks can tell me ;-)) why port 111 - sunrpc is open... Cheers, Richard
On Jan 20, Richard
Now, if I can find out (or you folks can tell me ;-)) why port 111 - sunrpc is open... # netstat -anp | grep :111 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 940/portmap
Just remove the portmap service (insserv -r portmap ; rcportmap stop). But you can only do this, if you don't use NFS mounts! (they rely on portmap) Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Now, if I can find out (or you folks can tell me ;-)) why port 111 - sunrpc is open...
# netstat -anp | grep :111 tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 940/portmap
Just remove the portmap service (insserv -r portmap ; rcportmap stop). But you can only do this, if you don't use NFS mounts! Thanks. I now have finished the big closing of the ports over here, and learned a new command (insserv) as well. Fruitfull evening it has been.
Cheers, richard
Richard wrote:
Now, if I can find out (or you folks can tell me ;-)) why port 111 - sunrpc is open...
portmap is probably running, disable it by going to yast -> system -> Runlevel Editor. Now NFS won't work unless you enable portmap again.
Hallo,
You have to edit /etc/opt/kde3/share/config/kdm/Xservers :0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
I also had the problem until now, but this solution works for me too. The only ports open at this time are ssh / 22 and mysql / 3306, and i want to close port 3306. could you please tell me how to do this? thanks, gregor
I also had the problem until now, but this solution works for me too. The only ports open at this time are ssh / 22 and mysql / 3306, and i want to close port 3306. could you please tell me how to do this? Add to the init script /etc/init.d/mysql in the else branch of the start)
On Jan 20, gregor
participants (10)
-
Avtar Gill
-
Carl Peto
-
david
-
gregor
-
Keith Roberts
-
Lindomar Santos
-
Markus Gaugusch
-
Peter Wiersig
-
Philippe Vogel
-
Richard