Re: X Security Issues? [SOLVED]
On Tue, Nov 19, 2002 at 09:35:36PM -0500, Edward Guldemond wrote: > On Wed, Nov 20, 2002 at 02:47:13AM +0100, Olaf Dietsche wrote: > > Well, it seems I should heed my own advice ;-). man xinit doesn't > > mention xserverrc, maybe this is a debian thing. But it does mention > > $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your > > home dir as .xserverrc and start xinit again. > > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. > startx checks for the existance of files like xserverrc, and puts them on xinit's command line if they exist. xinit only looks for .files in ~, not system-wide ones. XDM/KDM/GDM use the same xserverrc files as Debian's startx. Debian's xserverrc includes -nolisten tcp, so that it's in effect by default unless you use a non-standard method of starting X. > I don't know if this is a bug or feature, but it's interesting none > the less. I think it's sub-optimal, but hard to fix without changing the expected behaviour of some programs. (Either making xinit look for xserverrc, or making X symlink point to a script instead of the server (actually, to Xwrapper, I think).) simple answer: just use startx or *DM unless you want to customize your X-starting setup. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: X Security Issues? [SOLVED]
On Tue, Nov 19, 2002 at 09:35:36PM -0500, Edward Guldemond wrote: > On Wed, Nov 20, 2002 at 02:47:13AM +0100, Olaf Dietsche wrote: > > Well, it seems I should heed my own advice ;-). man xinit doesn't > > mention xserverrc, maybe this is a debian thing. But it does mention > > $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your > > home dir as .xserverrc and start xinit again. > > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. > startx checks for the existance of files like xserverrc, and puts them on xinit's command line if they exist. xinit only looks for .files in ~, not system-wide ones. XDM/KDM/GDM use the same xserverrc files as Debian's startx. Debian's xserverrc includes -nolisten tcp, so that it's in effect by default unless you use a non-standard method of starting X. > I don't know if this is a bug or feature, but it's interesting none > the less. I think it's sub-optimal, but hard to fix without changing the expected behaviour of some programs. (Either making xinit look for xserverrc, or making X symlink point to a script instead of the server (actually, to Xwrapper, I think).) simple answer: just use startx or *DM unless you want to customize your X-starting setup. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X Security Issues? [SOLVED]
El mié, 20-11-2002 a las 03:35, Edward Guldemond escribió: > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. IIRC, they advise of that when debconf'ing some X packages Regards Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: X Security Issues? [SOLVED]
El mié, 20-11-2002 a las 03:35, Edward Guldemond escribió: > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. IIRC, they advise of that when debconf'ing some X packages Regards Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X Security Issues? [SOLVED]
On Wed, Nov 20, 2002 at 02:47:13AM +0100, Olaf Dietsche wrote: > Well, it seems I should heed my own advice ;-). man xinit doesn't > mention xserverrc, maybe this is a debian thing. But it does mention > $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your > home dir as .xserverrc and start xinit again. Actually, I noticed something interesting when I was testing this out on my home box. When I used "startx", X didn't listen on TCP. When I used xinit, it did. I guess that xerverrc only gets read when you use startx. I don't know if this is a bug or feature, but it's interesting none the less. Thanks everyone for the help. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F pgpyllHmqeIZh.pgp Description: PGP signature
Re: X Security Issues?
Edward Guldemond <[EMAIL PROTECTED]> writes: > On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote: >> >> Look at "man xinit" and "man Xserver". There you will find an option >> "-nolisten". > > In /etc/X11/xinit/xserverrc, I have the following line: > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > So why is X still listening on TCP? Well, it seems I should heed my own advice ;-). man xinit doesn't mention xserverrc, maybe this is a debian thing. But it does mention $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your home dir as .xserverrc and start xinit again. Regards, Olaf.
Re: X Security Issues?
On Tue, Nov 19, 2002 at 04:51:03PM -0800, Rick Moen wrote: > Quoting Edward Guldemond ([EMAIL PROTECTED]): > > > In /etc/X11/xinit/xserverrc, I have the following line: > > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > > > So why is X still listening on TCP? > > Because xdm/kdm/gdm don't heed /etc/X11/xinit/xserverrc, but rather > /etc/X11/xdm/Xservers ? I am not running xdm/kdm/gdm though. I am using startx from the console. At any rate, I blocked these at the firewall level because, although I didn't notice any obvious attack that could cause a major problem, I was wary about leaving them open. > It's not obvious why this necessitates an X11 server on the firewall. > In the unlikely event that you need to run an X11 application from > it, do "ssh -X firewallhost" and image the X11 app onto your > non-firewall workstation. I have two people working in this office. This is just a network that I maintain. Currently, the company this is for (a small office), cannot afford a firewall machine, and isn't really keen on spending more on their network than is absolutely necessary. Trust me, I've tried to get them to stop, but, hey, it's there network that I just happen to maintain. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F pgpIxNsxniMrF.pgp Description: PGP signature
Re: X Security Issues?
Quoting Edward Guldemond ([EMAIL PROTECTED]): > In /etc/X11/xinit/xserverrc, I have the following line: > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > So why is X still listening on TCP? Because xdm/kdm/gdm don't heed /etc/X11/xinit/xserverrc, but rather /etc/X11/xdm/Xservers ? >> When this is your firewall, you might consider stopping X11 and not >> using this as a desktop machine at all. Every program running and >> every tool installed, might be used by an attacker against you. > > I realize that, however, since both machines are needed for work, I > don't really have a choice. It's not obvious why this necessitates an X11 server on the firewall. In the unlikely event that you need to run an X11 application from it, do "ssh -X firewallhost" and image the X11 app onto your non-firewall workstation. But suit yourself. -- Cheers, "Get the facts first. You can distort them later." Rick Moen -- Mark Twain [EMAIL PROTECTED]
Re: X Security Issues? [SOLVED]
On Wed, Nov 20, 2002 at 02:47:13AM +0100, Olaf Dietsche wrote: > Well, it seems I should heed my own advice ;-). man xinit doesn't > mention xserverrc, maybe this is a debian thing. But it does mention > $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your > home dir as .xserverrc and start xinit again. Actually, I noticed something interesting when I was testing this out on my home box. When I used "startx", X didn't listen on TCP. When I used xinit, it did. I guess that xerverrc only gets read when you use startx. I don't know if this is a bug or feature, but it's interesting none the less. Thanks everyone for the help. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F msg07855/pgp0.pgp Description: PGP signature
Re: X Security Issues?
On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote: > > Now, is there any security implications of having this port open? (I > > am nmap'ing this box's external Internet interface as it is my ipmasq > > box.) If so, what files do I have to edit to get rid of it? I don't > > need X listening on this interface. > > This depends on the startup method (and maybe distribution), as you > already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers. > With xinit it is /etc/X11/xinit/xserverrc. > > Look at "man xinit" and "man Xserver". There you will find an option > "-nolisten". In /etc/X11/xinit/xserverrc, I have the following line: exec /usr/bin/X11/X -dpi 100 -nolisten tcp So why is X still listening on TCP? > When this is your firewall, you might consider stopping X11 and not > using this as a desktop machine at all. Every program running and > every tool installed, might be used by an attacker against you. I realize that, however, since both machines are needed for work, I don't really have a choice. Thanks for your help though. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F pgpDR8Mj400jq.pgp Description: PGP signature
Re: X Security Issues?
Edward Guldemond <[EMAIL PROTECTED]> writes: > Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) > Interesting ports on (removed) (XX.XX.XXX.XX): > (The 1552 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp openssh > 1024/tcp openkdm [...] > Port State Service > 22/tcp openssh [...] > Port State Service > 22/tcp openssh > 6000/tcp openX11 You can see open ports with "netstat -atuw", too. > Now, is there any security implications of having this port open? (I > am nmap'ing this box's external Internet interface as it is my ipmasq > box.) If so, what files do I have to edit to get rid of it? I don't > need X listening on this interface. This depends on the startup method (and maybe distribution), as you already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers. With xinit it is /etc/X11/xinit/xserverrc. Look at "man xinit" and "man Xserver". There you will find an option "-nolisten". When this is your firewall, you might consider stopping X11 and not using this as a desktop machine at all. Every program running and every tool installed, might be used by an attacker against you. Regards, Olaf.
Re: X Security Issues?
Edward Guldemond <[EMAIL PROTECTED]> writes: > On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote: >> >> Look at "man xinit" and "man Xserver". There you will find an option >> "-nolisten". > > In /etc/X11/xinit/xserverrc, I have the following line: > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > So why is X still listening on TCP? Well, it seems I should heed my own advice ;-). man xinit doesn't mention xserverrc, maybe this is a debian thing. But it does mention $HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your home dir as .xserverrc and start xinit again. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X Security Issues?
On Tue, Nov 19, 2002 at 04:51:03PM -0800, Rick Moen wrote: > Quoting Edward Guldemond ([EMAIL PROTECTED]): > > > In /etc/X11/xinit/xserverrc, I have the following line: > > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > > > So why is X still listening on TCP? > > Because xdm/kdm/gdm don't heed /etc/X11/xinit/xserverrc, but rather > /etc/X11/xdm/Xservers ? I am not running xdm/kdm/gdm though. I am using startx from the console. At any rate, I blocked these at the firewall level because, although I didn't notice any obvious attack that could cause a major problem, I was wary about leaving them open. > It's not obvious why this necessitates an X11 server on the firewall. > In the unlikely event that you need to run an X11 application from > it, do "ssh -X firewallhost" and image the X11 app onto your > non-firewall workstation. I have two people working in this office. This is just a network that I maintain. Currently, the company this is for (a small office), cannot afford a firewall machine, and isn't really keen on spending more on their network than is absolutely necessary. Trust me, I've tried to get them to stop, but, hey, it's there network that I just happen to maintain. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F msg07852/pgp0.pgp Description: PGP signature
X Security Issues?
All, I was doing a routine nmap of my network today, and noticed when I nmap'd a box running KDE that the following showed up: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1552 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 1024/tcp openkdm I'm not running KDM, but I do have the KDE desktop up. When nmap'ing the same box when KDE is not running, I get: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1553 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh And with a simple "xinit", I get: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1552 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 6000/tcp openX11 Now, is there any security implications of having this port open? (I am nmap'ing this box's external Internet interface as it is my ipmasq box.) If so, what files do I have to edit to get rid of it? I don't need X listening on this interface. Thanks! -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F pgpFsNcROSvZ7.pgp Description: PGP signature
Re: X Security Issues?
Quoting Edward Guldemond ([EMAIL PROTECTED]): > In /etc/X11/xinit/xserverrc, I have the following line: > exec /usr/bin/X11/X -dpi 100 -nolisten tcp > > So why is X still listening on TCP? Because xdm/kdm/gdm don't heed /etc/X11/xinit/xserverrc, but rather /etc/X11/xdm/Xservers ? >> When this is your firewall, you might consider stopping X11 and not >> using this as a desktop machine at all. Every program running and >> every tool installed, might be used by an attacker against you. > > I realize that, however, since both machines are needed for work, I > don't really have a choice. It's not obvious why this necessitates an X11 server on the firewall. In the unlikely event that you need to run an X11 application from it, do "ssh -X firewallhost" and image the X11 app onto your non-firewall workstation. But suit yourself. -- Cheers, "Get the facts first. You can distort them later." Rick Moen -- Mark Twain [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X Security Issues?
On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote: > > Now, is there any security implications of having this port open? (I > > am nmap'ing this box's external Internet interface as it is my ipmasq > > box.) If so, what files do I have to edit to get rid of it? I don't > > need X listening on this interface. > > This depends on the startup method (and maybe distribution), as you > already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers. > With xinit it is /etc/X11/xinit/xserverrc. > > Look at "man xinit" and "man Xserver". There you will find an option > "-nolisten". In /etc/X11/xinit/xserverrc, I have the following line: exec /usr/bin/X11/X -dpi 100 -nolisten tcp So why is X still listening on TCP? > When this is your firewall, you might consider stopping X11 and not > using this as a desktop machine at all. Every program running and > every tool installed, might be used by an attacker against you. I realize that, however, since both machines are needed for work, I don't really have a choice. Thanks for your help though. -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F msg07850/pgp0.pgp Description: PGP signature
Re: X Security Issues?
Edward Guldemond <[EMAIL PROTECTED]> writes: > Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) > Interesting ports on (removed) (XX.XX.XXX.XX): > (The 1552 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp openssh > 1024/tcp openkdm [...] > Port State Service > 22/tcp openssh [...] > Port State Service > 22/tcp openssh > 6000/tcp openX11 You can see open ports with "netstat -atuw", too. > Now, is there any security implications of having this port open? (I > am nmap'ing this box's external Internet interface as it is my ipmasq > box.) If so, what files do I have to edit to get rid of it? I don't > need X listening on this interface. This depends on the startup method (and maybe distribution), as you already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers. With xinit it is /etc/X11/xinit/xserverrc. Look at "man xinit" and "man Xserver". There you will find an option "-nolisten". When this is your firewall, you might consider stopping X11 and not using this as a desktop machine at all. Every program running and every tool installed, might be used by an attacker against you. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
X Security Issues?
All, I was doing a routine nmap of my network today, and noticed when I nmap'd a box running KDE that the following showed up: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1552 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 1024/tcp openkdm I'm not running KDM, but I do have the KDE desktop up. When nmap'ing the same box when KDE is not running, I get: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1553 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh And with a simple "xinit", I get: Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (removed) (XX.XX.XXX.XX): (The 1552 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 6000/tcp openX11 Now, is there any security implications of having this port open? (I am nmap'ing this box's external Internet interface as it is my ipmasq box.) If so, what files do I have to edit to get rid of it? I don't need X listening on this interface. Thanks! -- -- Edward Guldemond GPG Key: 0x4E505B0F Key fingerprint: 4CAC 6740 C1CD 3CE4 6CA0 34E9 B3B7 18EC 4E50 5B0F msg07848/pgp0.pgp Description: PGP signature
