LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 06-10-2010, 11:41 PM   #1
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 280

Rep: Reputation: 74
Securing X


I wondered to myself....

"Self, WTF good is the oh, so bitchin' xscreensaver SCREEN LOCK if any idiot could come along and make my X go POOF with a simple ctl+alt+BackSpace???" ...they would get dropped into my shell. You know, the shell where I started X? BAM Full Access.

How I solved this was I decided to make X start right up by changing /etc/inittab line "id:3:initdefault:" to say "id:4:initdefault:". Now if X is killed there is no open, vulnerable, naked little login-shell waiting to get sploited! =-)

Also, I found (like most astute slackware newbs) that when X starts, it listens on port 6000 for connections (XDMCP or whatever). This really bugged me, since I never plan on using this awesome feature.
So I edited /etc/X11/xdm/Xservers (I excluded KDE from my 13.1 install).
and changed this line
Code:
:0 local /usr/bin/X :0
to this
Code:
:0 local /usr/bin/X -nolisten tcp :0
restarted X, and Bob's my Uncle!
 
Old 06-10-2010, 11:57 PM   #2
Mr-Bisquit
Member
 
Registered: Feb 2009
Distribution: FreeBSD, OpenBSD, NetBSD, Debian, Fedora
Posts: 770
Blog Entries: 52

Rep: Reputation: 68
I thought the nolisten flag was standard for X and had to be changed to allow remote connections. I set X11 forwarding on ssh with a value of >/= +100: Port6000 for local connections, limit the users. Port6100 or greater for remote. Limit the users.

Isn't it also possible to change the key combination?

http://www.daemonforums.org/showthread.php?t=3935
 
Old 06-11-2010, 06:25 AM   #3
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026Reputation: 1026
Yep, this is one of those little things that needs attention after installing Slackware. KDM adds "-nolisten tcp" by default when starting the xserver, but startx and xdm don't.

As for the screenlock, ctrl-alt-backspace and virtual console switching can be disabled from xorg.conf, or rather you used to be able to: I think you have to do it in HAL on a newer Slackware as it was changed - presumably because editing a single line in xorg.conf was way too simple and the Xorg guys needed to show how clever they could be!

You also have to be aware that alt-SysRq can be used to a similar effect, so it's not a good idea to leave an open console session on a Virtual Console as there's really no good way to secure it. screensaver/xlock only go so far.
 
Old 06-11-2010, 08:09 AM   #4
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 14.1 64 Multi-Lib
Posts: 442

Rep: Reputation: 140Reputation: 140
I think it's worth mentioning that unless you have encrypted your disks (root,home etc), very few machines are secure when someone has physical access to them. Merely placing a live-distro CD in the tray and powering off and on will give you full access to everything not encrypted. A good firewall that closes all port other than SSH (22) would also prevent over-the-network attacks on X.
 
Old 06-11-2010, 08:25 AM   #5
Mr-Bisquit
Member
 
Registered: Feb 2009
Distribution: FreeBSD, OpenBSD, NetBSD, Debian, Fedora
Posts: 770
Blog Entries: 52

Rep: Reputation: 68
It's not a good idea to use the standard port 22 for ssh.
Also X won't start on any other tty unless you specify such.
Code:
startx -- :1,2,etc
will get an Xsession.
Xdm will only give another Xsession only if it is specified.
If the distribution or OS you are using allows other Xsessions without specifying such, then it's time to drop it.
 
Old 06-11-2010, 11:34 AM   #6
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,520

Rep: Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874
I just want to point out that in default Slackware listening for XDMCP requests is disabled in /etc/X11/xdm/xdm-config
Quote:
! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort: 0
Alien_Bob has a blog post on what is required to enable XDMCP on Slackware.
http://alien.slackbook.org/blog/runn...on-ms-windows/
 
Old 06-11-2010, 11:47 AM   #7
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,500

Rep: Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912Reputation: 912
I usually boot in init 3 on my work desktop and to be sure nobody does nasty things on my shell, I launch X with
Code:
exec startx
from exec man page
Quote:
The exec() family of functions replaces the current process image with a new process image.
so it launches X closing the login bash.
this way, when I exit/zap X (if I switch to console, ctrl-Z doesn't work because I'm no more in bash) I'm at the login prompt

obviously someone can open my pc and remove the hard disk, but my home is crypted and nobody can see what I'm doing if the screen is locked.

O.T.: using compcache adds extra privacy, because your swap is in ram and gets cleaned at reboot: you can't imagine how many interesting things can be found if you run strings on swap

Last edited by ponce; 06-11-2010 at 11:59 AM.
 
1 members found this post helpful.
  


Reply

Tags
slack13, xorg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing a VPS stephen_wq Linux - Server 10 03-30-2009 08:31 AM
Securing CGI Ar0n Programming 0 12-05-2005 11:03 AM
Securing A directory? Spreegem Debian 3 04-04-2005 10:49 PM
Securing Server brentos Linux - Security 4 06-08-2004 11:57 AM
Securing Passwd Obie Linux - Security 5 05-31-2004 07:36 PM


All times are GMT -5. The time now is 10:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration