I did a portscan of myself, and found out that by default (security level 3)
Mandrake leaves kdm (or xdm) listening to UDP port 177 to support Xdmcp (allows
remote hosts to log into my box via X...) and the X server was listening on
port 6000 (allows connections to X server)....
I like to keep the open ports on my box to a minimum (ssh) so I disabled these
two, as I only use X locally. (it's a workstation).
To do so, here is what I did:
in the /etc/initab file, on the last line, I added the "-udpPort 0" option as
follows (this turns of XDMCP):
# Run xdm in runlevel 5
# xdm is now a separate service
x:5:respawn:/etc/X11/prefdm -nodaemon -udpPort 0
In the
/usr/X11R6/bin/startx script, I added the "-nolisten tcp" option to the
serverargs="" line, as follows:
serverargs="-nolisten tcp"
I thought that possibly this would help others wishing to do the same thing.
Jay Summet
Reason I'm doing this is because of various bugtrack messages about XDM, one
listed below:
>
> Hi,
>
> Just a minor one this. Discovered during a 5 minute pass of "xdm". I
> subsequently discovered "kdm" has copied the xdm core xdmcp code.
>
> I'm posting this because I think Caldera released an advisory, but a
> general discussion of the problem did not yet appear on Bugtraq.
>
> Further audit of kdm/xdm encouraged; there's quite a lot of it offering
> listening ports to the open internet...
>
> CREDITS
> =======
>
> Thanks to Olaf Kirch for assisting looking into this.
>
> SUMMARY [copied from original discovery mail]
> =======
>
> xdmcp.c, send_failed()
>
> [...]
> static char buf[256];
> [...]
> sprintf (buf, "Session %d failed for display %s: %s",
> (int)sessionID, name, reason);
>
> As far as I can tell, "name" could well be an arbitrary host name...
(This means a buffer overrun attack, for those of you who don't already know)
>
> COMMENTS
> ========
>
> Anyone doing a more thorough audit (I literally did 5 mins) should check
> the handling of the various files, e.g. Xauth cookie files. GDM had some
> problems/race conditions there.
>
> An audit is probably needed; I hear a couple of distributions ship kdm as
> default, and also leave it answering UDP xdmcp requests by default(!)
>
> Cheers
> Chris
