stoppin X access remotely

dai · 07-01-2003, 01:30 PM

Hi just wondering if anybody knows how to stop X from accepting any remote connections fro manywhere.

DO I have to disable X11 from listening for connections or is there a configuration method that will let only localhost login

david_ross · 07-01-2003, 01:42 PM

Just put some iptables/ipchains rules in place to stop access.

david_ross · 07-01-2003, 01:42 PM

Oh - if you are doing it over ssh then you can disable Xforwarding in sshd_config

dai · 07-01-2003, 02:05 PM

I just want to stop all access remotely but am running a webserver aswell so I dont want to use Iptables and ssh is going to be disabled aswell so i want to somehow stop X11 listening for network connections..

Tinkster · 07-01-2003, 02:38 PM

Edit /etc/services,
comment 6000 through 6010.

Cheers,
Tink

tobyl · 07-01-2003, 04:22 PM

You are running a web server and dont want to use iptables?
Iptables can be configured to allow whatever ports you like, so you can allow 80 and stop the others that you dont want. You are really leaving yourself open otherwise. (correct me if I am wrong someone)
tobyl

dai · 07-01-2003, 04:59 PM

Quote:

Originally posted by tobyl
You are running a web server and dont want to use iptables?
Iptables can be configured to allow whatever ports you like, so you can allow 80 and stop the others that you dont want. You are really leaving yourself open otherwise. (correct me if I am wrong someone)
tobyl

Just to explain

I dont want to run iptables on the server that hosts thewebserver because I am doing this for an MSc disertation and belive that it would be more secure to turn off services that arent needed and then place a Proxy and/or hardware firewall in front of the server thus creating a simple DMZ and allowing only access to Port 80 when the Proxy (which will run in combined mode) doesent have a doc required while also allowing https access to purchase goods.

Basically trying to lower the load on the main machine while ensuring security is at max, which is why I want to disable the remote access to any service not needed even when firewalls and IDS's are in use.

tobyl · 07-01-2003, 05:26 PM

Ah, well then you are probably over my head, but I do know that to stop X listening (6000), the argument is startx -nolisten TCP.
If you start X from kdm,gdm or xdm then you need to add -nolisten TCP to the relevant file that calls X.

dai · 07-01-2003, 06:22 PM

Cool I just want X to stop listening for connections really, which should solve the problem now all I got to do is figure out where to put that line.

Cheers

tobyl · 07-02-2003, 02:47 PM

Could you tell us how you boot into X?
do you use kde, gnome, or maybe you boot into X fron the command line, ie is your default runlevel 3 or 4? (/etc/inittab)

it depends how you start your X server as to which file matters.

tobyl

dai · 07-02-2003, 03:28 PM

Startx at command line

tobyl · 07-02-2003, 04:39 PM

then try
startx -nolisten TCP

dai · 07-02-2003, 05:15 PM

Quote:

Originally posted by tobyl
then try
startx -nolisten TCP

Is there anyway of automating this process so that StartX alone can be used to stop network connections.

tobyl · 07-02-2003, 05:44 PM

first of all, did it work?
I guess you are using nmap to test?

I guess you could devise a bash script with all the commands you want, and then call that at the prompt.

Or you could use a login manager like kdm and modify the startup files.

Or you could write your own with perl or python or whatever.

(or you could wait until one of the gurus like Tinkster or acid_kewpie gave a better idea)

regards, tobyl

dai · 07-02-2003, 05:46 PM

cheers

havent checked if it works yet as Im running John on my system trying to crack my passwords.

So far its been running since 11 this morning so once it finishes Ill try it.

Also to test Im using: -

netstat - l | grep LISTEN