LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-11-2003, 07:01 PM   #1
nester
LQ Newbie
 
Registered: Apr 2003
Distribution: Redhat 7.3
Posts: 26

Rep: Reputation: 15
Question Firewall Question


I have have just done a scan on myself using Nessus and the only Security Warning it has come up with so far, is telling me that I should filter incoming connections to ports 6000-6009 for X11

My question is how do I do this?

I have just installed Guarddog firewall untill I get used to how to use iptables without any GUI but for the moment I am stuck!

How would I make a rule for this using Guarddog so it filters the above ports?

ps: I am new to linux, so maybe I should have put this in the newbie forum?!

Many thanks,

nester
 
Old 08-11-2003, 09:10 PM   #2
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
I prefer to use external scanners. The ports in question are your X display ports. These are probably accessible by localhost ( you ).

Try the following command:
xhost

Ideally it should show:
# xhost
access control enabled, only authorized clients can connect.
INET:localhost.localdomain

*** localhost.localdomain might also be the hostname you've given your system.

If xhost gives:
access control disabled, clients can connect from any host
I'd correct it with
xhost -
xhost +localhost.localdomain ( no space after the + sign )

Good Luck.
 
Old 08-11-2003, 09:50 PM   #3
nester
LQ Newbie
 
Registered: Apr 2003
Distribution: Redhat 7.3
Posts: 26

Original Poster
Rep: Reputation: 15
Hi,

Thanks for your reply, do you know of any good external scanners I could try? How about shieldsup?

I have done as you said and it shows;

access control enabled, only authorized clients can connect

Does that mean I need do nothing?

Yes localhost.localdomain is the name I have given it. why does nessus advise that I should filter these ports (6000-6009)?

Thanks for your help

nester
 
Old 08-11-2003, 10:15 PM   #4
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
Ports 6000-6009 are used for the X window system. For instance, any of your graphical displays use this. It's a source of vulnerability if accessible from remote systems.

Since these ports are needed if your running X ( which you are if you have a graphical desktop ), it must be available for your local system.

xhost is the command that limits who has authority to use these X ports.

Since these ports are open to your localhost they are shown as open. An external scan bypasses this limitation and shows you exactly what is available/visible from outside.

Some sites I'd recommend for external scanning are:

http://www.inprotect.com
http://www.blackcode.com
http://www.computercops.biz
http://www.qualys.com
http://www.securityspace.com
http://scan.sygate.com
http://www.auditmypc.com

It's been a while since I looked at these so I really can't narrow it down too much more than this.

Some require registration and may send you spam but...

There are others out there too. I usually like running tcpdump to my screen while it's running, that way I know its still busy.

*** Oh, about ShieldsUp. That's okay but I think it's more for scanning Windows than *nix systems.
 
Old 08-11-2003, 11:41 PM   #5
nester
LQ Newbie
 
Registered: Apr 2003
Distribution: Redhat 7.3
Posts: 26

Original Poster
Rep: Reputation: 15
so that means that anyone could use xhost + <ip> and gain access? but I am safe from that.

I will give these scans a try and see what they do, thanks for your help, this site is full of knowledge! I could read for years!

nester
 
Old 08-12-2003, 07:00 AM   #6
pjcp64
Member
 
Registered: Dec 2002
Location: Omaha, NE
Distribution: Ubuntu Server and SuSE
Posts: 69

Rep: Reputation: 15
It does appear that anybody can do the xhost command in RedHat. That can always be changed though with a chmod and maybe a new group.

You might also want to define these xhost commands during your startup process. Either by adding them to /etc/rc/rc.local or to the /etc/profile.d/ directory. I've setup /etc/profile.d/my.startup.scripts where I've:
EDITOR=vi
set -o vi
xrdb /custom/.Xdefaults
xhost +localhost.localdomain >/dev/null 2>/dev/null
export PATH=$PATH:/custom

It sets up my Editor environment, my X defaults ( for things like Xterm ), xhosts, and modifies my Path.
 
Old 08-17-2003, 08:53 AM   #7
FikseGTS
LQ Newbie
 
Registered: Aug 2003
Posts: 2

Rep: Reputation: 0
I've used http://www.networkscanning.com/ a few times to test my own servers and a few clients..... works great.....
 
Old 08-17-2003, 08:34 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Basically securing, adding access restrictions in this case, with servers is a triplet. Why? Because of single points of failure.
Step 1: disable/configure the server: starting x as "startx -- -nolisten-tcp" will make it use Unix sockets only instead of TCP.
If you use Xdm/gdm/whatever, check your /etc/X11 configs.
Step 2: add a rule for tcp wrappers (/etc/hosts.deny|allow). If /etc/hosts.deny contains only the like "ALL: ALL" then you don't need to add a rule to /etc/hosts.allow, unless you want to explicitly configure remote hosts to have access to the X11 port range.
Step 3: If your firewall has a default policy of DENY, then you don't have to add a rule. If it has a default policy of ACCEPT, change it to a default policy of DENY (but be warned you then have to add rules for any service you need to access) or add a blocking rule for the X11 port range.

Xhost is deprecated: use Xauth.

Last edited by unSpawn; 08-17-2003 at 08:39 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall question graziano1968 Linux - Networking 3 08-06-2005 09:41 AM
firewall question dna9 Linux - Software 2 11-18-2004 05:40 PM
Firewall question mulberry Debian 2 09-29-2004 01:14 PM
Question 1 Firewall Log Question 2 Network Monitor Soulful93 Linux - Networking 4 08-05-2004 12:05 AM
Firewall Question Oswego79 Linux - Security 2 10-01-2002 11:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration