LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   disabling xhost & xauth (http://www.linuxquestions.org/questions/slackware-14/disabling-xhost-and-xauth-338594/)

Smokey 06-30-2005 12:29 AM

disabling xhost & xauth
 
How can I disable or reject any requests for xhost, xauth? From what I understand an attacker can simply login if I have an ip address. But I do not do that, I don't even use x11 forwarding, I just want to lock this down so there is no way possible anyone can use xhost or manipulate xauth?

uselpa 06-30-2005 02:22 PM

From http://www.linuxsecurity.com/resourc...cklist.en.html :
Quote:

If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0)
HTH

Smokey 06-30-2005 03:52 PM

Code:

! $Xorg: xdm-conf.cpp,v 1.3 2000/08/17 19:54:17 cpqbld Exp $
!
!
!
!
! $XFree86: xc/programs/xdm/config/xdm-conf.cpp,v 1.10 2002/11/30 19:11:32 herrb Exp $
!
DisplayManager.errorLogFile:        /var/log/xdm.log
DisplayManager.pidFile:                /var/run/xdm.pid
DisplayManager.keyFile:                /usr/X11R6/lib/X11/xdm/xdm-keys
DisplayManager.servers:                /usr/X11R6/lib/X11/xdm/Xservers
DisplayManager.accessFile:        /usr/X11R6/lib/X11/xdm/Xaccess
DisplayManager.willing:                su nobody -c /usr/X11R6/lib/X11/xdm/Xwilling
! All displays should use authorization, but we cannot be sure
! X terminals may not be configured that way, so they will require
! individual resource settings.
DisplayManager*authorize:        true
! The following three resources set up display :0 as the console.
DisplayManager._0.setup:        /usr/X11R6/lib/X11/xdm/Xsetup_0
DisplayManager._0.startup:        /usr/X11R6/lib/X11/xdm/GiveConsole
DisplayManager._0.reset:        /usr/X11R6/lib/X11/xdm/TakeConsole
!
DisplayManager*chooser:                /usr/X11R6/lib/X11/xdm/chooser
DisplayManager*resources:        /usr/X11R6/lib/X11/xdm/Xresources
DisplayManager*session:                /usr/X11R6/lib/X11/xdm/Xsession
DisplayManager*authComplain:        true



! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort:        0


Looks like it is already set to Port zero?

uselpa 06-30-2005 04:02 PM

Yes. The documentation I quoted was for Debian, so in Slackware the config might be different.
Also have a look at /usr/X11R6/bin/startx for the other point.

Of course, you could always block incoming connections with iptables, that's what I did.


All times are GMT -5. The time now is 06:29 AM.