Re: Disabling X and KDM from listening on a port.

From: Rob Bos (rbos@wizard.ca)
Date: 08/14/01


Date: Tue, 14 Aug 2001 09:14:31 -0700
From: Rob Bos <rbos@wizard.ca>
To: focus-linux@securityfocus.com
Subject: Re: Disabling X and KDM from listening on a port.
Message-ID: <20010814091431.D4520@tech>

On Tue, Aug 14, 2001 at 03:59:13AM -0700, Dragos Ruiu wrote:
> Firewall those ports off with ipfilter, ipchains or whatever
> you use as a network firewall.

While I have nothing against firewalls, they are fundamentally _workarounds_.
You shouldn't have the service listening in the first place.

It bothers me that XFree86 listens on TCP by default. If you want to open
yourself up to a potential security hole, sure, but insecure shouldn't be the
default. I took a quick look at my X configuration; Debian has -nolisten tcp
on by default, which is fortunate.

I wonder if the XFree team would be willing to listen to a polite nag to
make it not the default, and explicitly state "-listen tcp" in the
configuration. I'm thinking through implications and I don't see anything
immediately that'd be adversely affected.

Questions like this are immediately relevant - God knows how many buffer
overflows are present in XFree; we don't need more worms.

~rbos

> cheers,
> --dr

-- 
Rob Bos - System Administration
Wizard IT Services - http://www.wizard.ca http://linuxmagic.com
Unix Administration, Website Hosting, Network Services, Programming
(604) 589-0037 Beautiful British Columbia, Canada
--------------------------------------------------------
Any and all opinions expressed herein are not necessarily
the opinions of Wizard IT Services.



Relevant Pages

  • Summary: Tcp/Udp port mapping (equivalent of firewall NAT)
    ... existing NIC port & bind the UPS software to this address. ... and anything else gets sent to the one listening ... a UPS software that makes use of Tcp 6003. ...
    (SunManagers)
  • Re: What is the trick to get Windows XP firewall to stay on (after a reboot)?
    ... > While I did not explicitly state that the EPRT and PORT commands reached ... > Windows Firewall did not start a listen according to netstat -a and Port ... So, while a proxy would result in a new listening socket, a firewall does ... client sending a PORT command that it has chosen to send. ...
    (microsoft.public.windowsxp.network_web)
  • Re: What is the trick to get Windows XP firewall to stay on (after a reboot)?
    ... > While I did not explicitly state that the EPRT and PORT commands reached ... > Windows Firewall did not start a listen according to netstat -a and Port ... So, while a proxy would result in a new listening socket, a firewall does ... client sending a PORT command that it has chosen to send. ...
    (microsoft.public.windowsxp.basics)
  • Re: What is the trick to get Windows XP firewall to stay on (after a reboot)?
    ... > While I did not explicitly state that the EPRT and PORT commands reached ... > Windows Firewall did not start a listen according to netstat -a and Port ... So, while a proxy would result in a new listening socket, a firewall does ... client sending a PORT command that it has chosen to send. ...
    (comp.security.firewalls)
  • Re: What is the trick to get Windows XP firewall to stay on (after a reboot)?
    ... > While I did not explicitly state that the EPRT and PORT commands reached ... > Windows Firewall did not start a listen according to netstat -a and Port ... So, while a proxy would result in a new listening socket, a firewall does ... client sending a PORT command that it has chosen to send. ...
    (microsoft.public.security)