3:20 a.m.
Louis Garcia wrote:
111/tcp open sunrpc
6000/tcp open X11
Should these be open be default?
--
Rhl-beta-list mailing list
Rhl-beta-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/rhl-beta-list
In case you really must, I found in the man page for Xserver the option :
-nolisten trans-type
disables a transport type. For example, TCP/IP
connections can be disabled with -nolisten tcp.
The consequences of doing so , and where in the X configuration files
you might actually put it, I don't yet know... I have been trying to
find out how to set the option when starting X with xdm/gdm/kdm.
In any case, startx -- -nolisten tcp will do it at commandline and so
far in Severn it's had no adverse impact for me...
Cheers,
Michael
6:23 a.m.
Michael Kearey wrote:
shrek-m(a)gmx.de wrote:
> debian:
> /etc/X/xinit/xserverrc
>
> rhl ? :
>
> /etc/X11/xdm/Xservers
> :0 local /usr/X11R6/bin/X -nolisten tcp
>
>
> /etc/X11/gdm/gdm.conf
> [server-Standard]
> name=Standard server
> command=/usr/X11R6/bin/X -nolisten tcp
> flexible=true
>
>
> /etc/X11/xdm/kdmrc
oops,
additinal info.
i was wondering why i couldn´t connect to port:6000
after "startx" in init 3
i had forgotten to undo my changes in /usr/X11R6/bin/startx :-(
--snip--
userclientrc=$HOME/.xinitrc
userserverrc=$HOME/.xserverrc
sysclientrc=/etc/X11/xinit/xinitrc
sysserverrc=/etc/X11/xinit/xserverrc
defaultclient=/usr/X11R6/bin/xterm
defaultserver=/usr/X11R6/bin/X
defaultclientargs=""
defaultserverargs=""
clientargs=""
#serverargs="-nolisten tcp"
serverargs=""
--snap--
"export " the servern1 "DISPLAY=" to "192.168.101.10:0"
works now again
my ~/.xinitrc or ~/.Xclients-default
--snip--
xhost -
xhost +192.168.101.15
exec gnome-session
--snap--
$ startx
# lsof -Pi :6000
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
X 1763 root 1u IPv4 14667 TCP *:6000 (LISTEN)
X 1763 root 29u IPv4 25800 TCP
192.168.101.10:6000->severn1:32774 (ESTABLISHED)
--
shrek-m
12:58 a.m.
Paul Jenner wrote:
On Mon, 2003-08-04 at 05:54, Louis Garcia wrote:
>111/tcp open sunrpc
>6000/tcp open X11
>
>Should these be open be default?
Reading the responses, the most interesting part of your question seemed
tactfully avoided on the list :-)
If Sun RPC and X over TCP are open by default, should they continue to
be? How many of the non-tech community use NFS/NIS/NIS+ or connect to X
remotely without ssh tunneling?
RPC is used for more than just NIS/NFS. Your file manager probably uses
RPC to talk to FAM, so that it can update its displays when files change.
RPC is also blocked by the default networking (firewall) configuration,
so it's basically only available to the local machine.
X... now that's another story. That should probably be firewalled as
well, and will be if you choose a "high security" firewall.
Particularly because X still runs as root, where "portmap" no longer
does. X is a much greater opportunity for attackers. :(
7:15 p.m.
New subject: lokkit (WAS: How do I shut down this ports)
On Sun, 2003-08-03 at 22:54, Louis Garcia wrote:
111/tcp open sunrpc
6000/tcp open X11
Should these be open be default?
If they are open or not is irrelevant if you are truly running a
"default" configuration.
By "default" on severn and below you get a "medium" firewall.
On whatever-name-is-next and above, by default you get an "enabled"
firewall.
Old:
medium/high/disabled
New:
enabled/disabled
What's the difference?
I wrote a patch that implements a stateful ruleset instead of the
previous non-stateful ruleset. This was accepted and is now in rawhide.
The end result:
1. Better security than the previous "high".
2. No breakage of *anything* initiated by the host.
Details:
By default your "enabled" firewall enables others to ping you, ALL other
unsolicited traffic to your box is rejected.
If your box initiates a outbound connection (ping,SSH,NFS,NIS,RPC,X11),
*inbound* packets that are part of, and related to, those connections
are allowed.
Using lokkit or redhat-config-securitylevel you can of course define
"trusted" interfaces and/or allowed *inbound* protocols
(SSH,TELNET,etc). This way you can selectively allow others to connect
to your box.
Nifty eh? This is made possible by the stateful rules.
Dax Kelson
Guru Labs
7:21 a.m.
shrek-m(a)gmx.de wrote:
<Snip>
you can try or google for ...
Yes, after reading the confusing trail of man pages, and config
scripts for X, google was my next option...
debian:
/etc/X/xinit/xserverrc
rhl ? :
/etc/X11/xdm/Xservers
:0 local /usr/X11R6/bin/X -nolisten tcp
/etc/X11/gdm/gdm.conf
[server-Standard]
name=Standard server
command=/usr/X11R6/bin/X -nolisten tcp
flexible=true
/etc/X11/xdm/kdmrc
But now you have spoilt my chance to google and given me the answers.
I am very thankfull, appreciate your help.
Cheers,
Michael
5:35 a.m.
Michael Kearey wrote:
Louis Garcia wrote:
> 6000/tcp open X11
In case you really must, I found in the man page for Xserver the option :
-nolisten trans-type
disables a transport type. For example, TCP/IP
connections can be disabled with -nolisten tcp.
The consequences of doing so , and where in the X configuration files
you might actually put it, I don't yet know... I have been trying to
find out how to set the option when starting X with xdm/gdm/kdm.
In any case, startx -- -nolisten tcp will do it at commandline and so
far in Severn it's had no adverse impact for me...
you can try or google for ...
debian:
/etc/X/xinit/xserverrc
rhl ? :
/etc/X11/xdm/Xservers
:0 local /usr/X11R6/bin/X -nolisten tcp
/etc/X11/gdm/gdm.conf
[server-Standard]
name=Standard server
command=/usr/X11R6/bin/X -nolisten tcp
flexible=true
/etc/X11/xdm/kdmrc
--
shrek-m
1:54 p.m.
On Mon, 2003-08-04 at 05:54, Louis Garcia wrote:
111/tcp open sunrpc
6000/tcp open X11
Should these be open be default?
Reading the responses, the most interesting part of your question seemed
tactfully avoided on the list :-)
If Sun RPC and X over TCP are open by default, should they continue to
be? How many of the non-tech community use NFS/NIS/NIS+ or connect to X
remotely without ssh tunneling?
Paul
7565
days inactive
7570
days old
8 comments
7 participants
participants (7)
-
Alan Cox -
Dax Kelson -
Gordon Messmer -
Louis Garcia -
Michael Kearey -
Paul Jenner -
shrek-m@gmx.de