Hi I have probs getting X to stop listening for connection on port 6000. I saw at the "SuSE Security FAQ (unofficial)" that to get it to stoping listening i should change /usr/X11R6/lib/X11/xdm/Xservers but this dont work for 7.1, anyone know how to disable it in 7.1 ? I do not want to block it using a firewall. Cheers /Chriss __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
Hi
I have probs getting X to stop listening for connection on port 6000. I saw at the "SuSE Security FAQ (unofficial)" that to get it to stoping listening i should change /usr/X11R6/lib/X11/xdm/Xservers but
Change the line to read :0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp it should work.
this dont work for 7.1, anyone know how to disable it in 7.1 ? I do not want to block it using a firewall.
ipchains -I input -d 0/0 6000 -p tcp -j REJECT or -j DENY, as you wish.
Cheers
/Chriss
Roman.
--
- -
| Roman Drahtmüller
Hi! On Tue, 10 Jul 2001, Roman Drahtmueller wrote:
Hi
I have probs getting X to stop listening for connection on port 6000. I saw at the "SuSE Security FAQ (unofficial)" that to get it to stoping listening i should change /usr/X11R6/lib/X11/xdm/Xservers but
Change the line to read
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
it should work.
On my SuSE 7.1 box it doesn't work either (yes, I *did* restart the X server!). Any ideas? (Luckily, the workstation sits behind a firewall...) Bye, Martin
Þann miðvikudagur 11 júlí 2001 10:54 skrifaðir þú:
Hi!
On Tue, 10 Jul 2001, Roman Drahtmueller wrote:
Hi
I have probs getting X to stop listening for connection on port 6000. I saw at the "SuSE Security FAQ (unofficial)" that to get it to stoping listening i should change /usr/X11R6/lib/X11/xdm/Xservers but
Change the line to read
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
it should work.
On my SuSE 7.1 box it doesn't work either (yes, I *did* restart the X server!).
Any ideas? (Luckily, the workstation sits behind a firewall...)
Bye, Martin
On SuSE 7.1 ( kernel 2.2.x ) I'd do: ipchains -A input -p tcp -s ! a.b.c.d/32 -d a.b.c.d 6000 -j REJECT dunno yet how to use ports in iptables tho... a.b.c.d would be your ip -tosi
On Wed, 11 Jul 2001, Roman Drahtmueller wrote:
On my SuSE 7.1 box it doesn't work either (yes, I *did* restart the X server!).
You're not supposed to restart the X-server. Restart xdm! This will nuke the X-Server as well, of course...
I should have written: "I *did* restart X". Netstat -pnl still shows the process "X" listening on port 6000: tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 17043/X Martin
I dont think that there is a way to keep X from listening on port 6000 (or some port) since it is a server running on your machine. It has to bind to a port and then the client connects to that port. That is why you can have multiple X sessions, running on different ports. If you dont want anything running on port 6000, dont run X. If you just dont want anyone else but yourself to connect to it, do ipchains -A input -s ! 127.0.0.1 -p tcp --dport 6000 -j REJECT On Wed, 11 Jul 2001, [ISO-8859-1] Martin K�hling wrote:
On Wed, 11 Jul 2001, Roman Drahtmueller wrote:
On my SuSE 7.1 box it doesn't work either (yes, I *did* restart the X server!).
You're not supposed to restart the X-server. Restart xdm! This will nuke the X-Server as well, of course...
I should have written: "I *did* restart X".
Netstat -pnl still shows the process "X" listening on port 6000:
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 17043/X
Martin
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
I dont think that there is a way to keep X from listening on port 6000 (or some port) since it is a server running on your machine. It has to bind to a port and then the client connects to that port. That is why you can have multiple X sessions, running on different ports. If you dont want anything running on port 6000, dont run X. If you just dont want anyone else but yourself to connect to it, do ipchains -A input -s ! 127.0.0.1 -p tcp --dport 6000 -j REJECT
You're not supposed to restart the X-server. Restart xdm! This will nuke the X-Server as well, of course...
I should have written: "I *did* restart X".
Ok, this really seems difficult to understand:
I said "restart xdm". Not "restart X". Means: Add the "-nolisten tcp"
option to the Xserver startline in /etc/X11/xdm/Xservers, then
killall -15 xdm
and see your X-session die. If everything is right, that is, and there
should not be a new X-server that starts up. Nuking the X-server alone
won't help since a new one will be started, most likely with the same
options as the one before.
Then, log on as root on the console and start xdm:
/etc/init.d/xdm start
Afterwards, see thhe output of "netstat -anp|grep LISTEN" and check your
open ports.
I'm using basically the same software as you do, so I wonder why it works
for me...
Roman.
--
- -
| Roman Drahtmüller
On Wed, 11 Jul 2001, Roman Drahtmueller wrote:
I should have written: "I *did* restart X".
Ok, this really seems difficult to understand:
I said "restart xdm". Not "restart X". Means: Add the "-nolisten tcp" option to the Xserver startline in /etc/X11/xdm/Xservers, then killall -15 xdm and see your X-session die. If everything is right, that is, and there should not be a new X-server that starts up. Nuking the X-server alone won't help since a new one will be started, most likely with the same options as the one before.
Then, log on as root on the console and start xdm:
/etc/init.d/xdm start
My setup is *slightly* different: I normally don't run X (my default runlevel is 3); when I need X I simply type "startx" (as a regular user). When I select "logout" from the kde popup menu X is completely terminated - no more listeners on port 6000; when I run "startx" again X again listens on port 6000; this not really a problem since the local firewall rules don't allow incoming TCP connects on any random port - but I'd still like to turn this "feature" off...
Afterwards, see thhe output of "netstat -anp|grep LISTEN" and check your open ports.
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 18299/X
I'm using basically the same software as you do, so I wonder why it works for me...
Strange.... Martin
I dont think that there is a way to keep X from listening on port 6000 (or some port) since it is a server running on your machine. this is wrong, X can use unix sockets as well. it doesn't need tcp port 6000 for local connections. It is in /etc/.X11-unix/X0 if you don't use xdm, use startx -nolisten tcp
or if you use xdm, edit /var/X11R6/lib/xdm/Xservers and add -nolisten tcp to the line :0 local /usr/X11R6/bin/X :0 vt07 (it looks like ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp" afterwards) Changes in Xservers do not affect sessions with startx ! (hopefully startx takes -nolisten tcp ... I didn't try. Maybe "startx -- -nolisten tcp" works, if the other doesn't work) greetings Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Wed, 11 Jul 2001, Markus Gaugusch wrote:
if you don't use xdm, use startx -nolisten tcp
or if you use xdm, edit /var/X11R6/lib/xdm/Xservers and add -nolisten tcp to the line :0 local /usr/X11R6/bin/X :0 vt07 (it looks like ":0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp" afterwards)
Changes in Xservers do not affect sessions with startx !
Oooops - here's the answer...
(hopefully startx takes -nolisten tcp ... I didn't try. Maybe "startx -- -nolisten tcp" works, if the other doesn't work)
The second variation seems to work! Thanks. Now if somebody could tell us how to stop kdeinit from listening on some variable port in the local port range... :-) Martin
Martin Köhling wrote:
Now if somebody could tell us how to stop kdeinit from listening on some variable port in the local port range... :-)
Martin
If you mean kxmlrpcd (and are using kde2), I have been able to stop it by editing /opt/kde2/share/services/kxmlrpcd.desktop and commenting out the last three lines: # Exec... # X-KDE-Library... # X-KDE-Init... (maybe the first of these is enough; didn't try...) regards nicola
On Wed, 11 Jul 2001 dog@intop.net wrote:
I dont think that there is a way to keep X from listening on port 6000 (or some port) since it is a server running on your machine. It has to bind to a port and then the client connects to that port. That is why you can have multiple X sessions, running on different ports. If you dont want anything running on port 6000, dont run X. If you just dont want anyone else but yourself to connect to it, do ipchains -A input -s ! 127.0.0.1 -p tcp --dport 6000 -j REJECT
hi actually, you can keep X from binding on port 6000 call it as X -nolisten TCP or startx -- -nolisten TCP or change in the Xservers file (/etc/X11/xdm/Xserver IIRC) the line that calls the x server for xdm login and it won't bind to the port 6000 + session number as a test, see my netstat output, i have 3 X sessions running, one of them with the nolisten clause adilson@linux:~ > netstat -tuan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN port 6000 listening is the first X session, port 6002 is the 3rd session, the second session has no port bound best regards Adilson Ribeiro PS: no one really will connect to your server via tcp/ip, not even yourself :) you will have to do that with the :session notation, without the hostname (the hostname implies network connection)
one way is not to have x running On Tue, 10 Jul 2001, Passreality wrote:
Hi
I have probs getting X to stop listening for connection on port 6000. I saw at the "SuSE Security FAQ (unofficial)" that to get it to stoping listening i should change /usr/X11R6/lib/X11/xdm/Xservers but this dont work for 7.1, anyone know how to disable it in 7.1 ? I do not want to block it using a firewall.
Cheers
/Chriss
__________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
participants (8)
-
Adilson Guilherme Vasconcelos Ribeiro -
dog@intop.net -
Markus Gaugusch -
Martin Köhling -
nicola -
Passreality -
Roman Drahtmueller -
Tor Sigurdsson