[TriLUG] preventing X from opening port 6000?

Geoff Purdy geoff.purdy at verizon.net
Wed Mar 13 22:02:21 EST 2002


Mike and Jon,
Editing /etc/X11/xdm/Xservers to read: 

:0 local /usr/X11R6/bin/X -nolisten tcp

did the trick.  All ports show as closed in nmap now.

As a footnote, I made an error in my original post.  'startx -- -nolisten 
tcp' is the proper command to start X11 from the command line without opening 
port 6000.  I omitted the first two dashed in the orignal.

Thanks.

On Wednesday 13 March 2002 11:02 am, you wrote:
> Geoff Purdy [geoff.purdy at verizon.net] wrote:
> > Two questions:
> > a)  What is the level of risk of my system being compromised through port
> > 6000 while running the X11 service?
>
> Well, it's one more possible way in.  If you're fully updated, you're
> probably okay for now.  However, that's not to say there's nothing coming
> down the pipe (or not widely known).  And, well, to you -really- need
> X listening there?  No.
>
> However, one could probably DoS X without much work.
>
> > b)  I believe that if I boot into runlevel 3, I can run 'startx -nolisten
> > tcp' to prevent X from opening port 6000.  How can I configure the system
> > to use the '-nolisten tcp' option when booting directly into X (runlevel
> > 5).
>
> Edit /etc/X11/xdm/Xservers and add your -nolisten tcp to the line there.
> So, it should (probably - I'm not gonna exit X right now and try it)
>
> read:
> :0 local /usr/X11R6/bin/X -nolisten tcp
>
> Mike



More information about the TriLUG mailing list