-   Linux - Security (
-   -   Firewall Question (

nester 08-11-2003 07:01 PM

Firewall Question
I have have just done a scan on myself using Nessus and the only Security Warning it has come up with so far, is telling me that I should filter incoming connections to ports 6000-6009 for X11

My question is how do I do this?

I have just installed Guarddog firewall untill I get used to how to use iptables without any GUI but for the moment I am stuck!

How would I make a rule for this using Guarddog so it filters the above ports?

ps: I am new to linux, so maybe I should have put this in the newbie forum?!

Many thanks,


pjcp64 08-11-2003 09:10 PM

I prefer to use external scanners. The ports in question are your X display ports. These are probably accessible by localhost ( you ).

Try the following command:

Ideally it should show:
# xhost
access control enabled, only authorized clients can connect.

*** localhost.localdomain might also be the hostname you've given your system.

If xhost gives:
access control disabled, clients can connect from any host
I'd correct it with
xhost -
xhost +localhost.localdomain ( no space after the + sign )

Good Luck.

nester 08-11-2003 09:50 PM


Thanks for your reply, do you know of any good external scanners I could try? How about shieldsup?

I have done as you said and it shows;

access control enabled, only authorized clients can connect

Does that mean I need do nothing?

Yes localhost.localdomain is the name I have given it. why does nessus advise that I should filter these ports (6000-6009)?

Thanks for your help


pjcp64 08-11-2003 10:15 PM

Ports 6000-6009 are used for the X window system. For instance, any of your graphical displays use this. It's a source of vulnerability if accessible from remote systems.

Since these ports are needed if your running X ( which you are if you have a graphical desktop ), it must be available for your local system.

xhost is the command that limits who has authority to use these X ports.

Since these ports are open to your localhost they are shown as open. An external scan bypasses this limitation and shows you exactly what is available/visible from outside.

Some sites I'd recommend for external scanning are:

It's been a while since I looked at these so I really can't narrow it down too much more than this.

Some require registration and may send you spam but...

There are others out there too. I usually like running tcpdump to my screen while it's running, that way I know its still busy.

*** Oh, about ShieldsUp. That's okay but I think it's more for scanning Windows than *nix systems.

nester 08-11-2003 11:41 PM

so that means that anyone could use xhost + <ip> and gain access? but I am safe from that.

I will give these scans a try and see what they do, thanks for your help, this site is full of knowledge! I could read for years!


pjcp64 08-12-2003 07:00 AM

It does appear that anybody can do the xhost command in RedHat. That can always be changed though with a chmod and maybe a new group.

You might also want to define these xhost commands during your startup process. Either by adding them to /etc/rc/rc.local or to the /etc/profile.d/ directory. I've setup /etc/profile.d/my.startup.scripts where I've:
set -o vi
xrdb /custom/.Xdefaults
xhost +localhost.localdomain >/dev/null 2>/dev/null
export PATH=$PATH:/custom

It sets up my Editor environment, my X defaults ( for things like Xterm ), xhosts, and modifies my Path.

FikseGTS 08-17-2003 08:53 AM

I've used a few times to test my own servers and a few clients..... works great.....

unSpawn 08-17-2003 08:34 PM

Basically securing, adding access restrictions in this case, with servers is a triplet. Why? Because of single points of failure.
Step 1: disable/configure the server: starting x as "startx -- -nolisten-tcp" will make it use Unix sockets only instead of TCP.
If you use Xdm/gdm/whatever, check your /etc/X11 configs.
Step 2: add a rule for tcp wrappers (/etc/hosts.deny|allow). If /etc/hosts.deny contains only the like "ALL: ALL" then you don't need to add a rule to /etc/hosts.allow, unless you want to explicitly configure remote hosts to have access to the X11 port range.
Step 3: If your firewall has a default policy of DENY, then you don't have to add a rule. If it has a default policy of ACCEPT, change it to a default policy of DENY (but be warned you then have to add rules for any service you need to access) or add a blocking rule for the X11 port range.

Xhost is deprecated: use Xauth.

All times are GMT -5. The time now is 06:27 AM.