On 09/12/2013 14:37, Kevin Brown wrote: > My company recently sent an audit finding requesting for our Cygwin/X users > with a finding of the following; > > "The remote host is running an X11 server. X11 is a client-server protocol > that can be used to display graphical applications running on a given host > on a remote client. Since the X11 traffic is not ciphered, it is possible > for an attacker to eavesdrop on the connection." > > The suggested solution was; > > "Restrict access to this port. If the X11 client/server facility is not > used, disable TCP support in X11 entirely (-nolisten tcp)." > > > My problem is that I haven't found any information that would help me > accomplish this task. I've only recently taken over support of our Cygwin > users and am not well versed in the software. Can this be done without > breaking the functionality of the the software? If so, can you please > advise on the steps to take to accomplish this?
The usual caveat applies: if you have an actual need for security, a random person on the internet is not where you should be getting your information. As suggested, if you start the X server with the option '-nolisten tcp' (see 'man Xserver'), then it will not accept remote connections. There's probably something to be said for this being the default configuration and requiring an explicit '-listen', but historically it's been this way. If you then need to connect to remote clients, use ssh forwarding, see [1]. [1] http://x.cygwin.com/docs/ug/using-remote-apps.html -- Jon TURNEY Volunteer Cygwin/X X Server maintainer -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://x.cygwin.com/docs/ FAQ: http://x.cygwin.com/docs/faq/
