Darryl,
I dont think my made myself clear enough : if you need X, then
port 6000 and some of the adjacent ones _must_ be working. X will not work
without this. If by some method, you succeeded in completely blocking off
this port, X would have broken on your mahine.
As regards whether xauth is sufficient, the answer is "it
depends". For normal use, where all users using X clients are local users,
xauth is probably good enough. For remote users, it is less so. Here is a
snippet from the Debian manpage for 'xauth' :
Users that have unsecure networks should take care to use
encrypted file transfer mechanisms to copy authorization
entries between machines. Similarly, the MIT-MAGIC-
COOKIE-1 protocol is not very useful in unsecure environ
ments. Sites that are interested in additional security
may need to use encrypted authorization mechanisms such as
Kerberos.
One example of the "encrypted file transfer mechanisms" referred
to in the first line is 'sshd'. So you might want to consider using that
too.
If your distribution (its been a long time since I messed around
with RedHat) is any good at all, then its default setup would be enough to
secure your box against local X-based attacks.
<soapbox>
Remember, half-hearted security measures are worse than none. With
no security, you know that your box is insecure and wont trust it with
anything critical. Half-hearted security can deceive you into thinking
that your box is secure, when it really isnt. In order to to really
implement security, you _must_ understand what you are doing. Without
understanding, any security will be due to luck - and luck doesnt last
very long. So get hold of all security related howto, books, etc and READ!
</soapbox>
Regards,
Kenneth
On Sun, 30 Jan 2000, 1stFlight ! wrote:
> Okay I use gdm for my login and I've found no way to turn off port 6000 or in
> this case make it not listen to that port I'm using Xauth security (Redhat
> 6.0) but is that enough to guarantee only authorized access on that port?
> Thanks.
>
> Kenneth Stephen wrote:
>
> > Darryl,
> >
> > One of the first things that need to be done to secure a box is to
> > block all un-needed ports. If you will never need to run an ftp server for
> > example, dont run the daemon.
> >
> > The X server typically listens at port 6000 for client
> > connections. Blocking this port is as simple as not running an X server.
> > If you are running xdm (which provides an X login prompt at boot up),
> > switch to a command line login (for which you need to change the default
> > runlevel - see man inittab).
> >
> > If, on the other hand, you do need to run X clients, enforce
> > security. The first approximation to this is an xhost (see man xhost)
> > based security. This not really very secure. The preferred security
> > mechanism is xauth - and chances are you distribution already uses it. If
> > you are using an xterm, and you 'su' to a user other than the one which
> > started up the X session, and execute an X client (xclock, netscape, etc),
> > a message having to do with MIT-MAGIC cookies indicates xauth based
> > authentication.
> >
> > If you are really, really interested in securing your box, I would
> > suggest you start reading all security related materials and BUGTRAQ.
> > There are plenty of linux and security oriented webpages out there. The
> > linux-net mailing list would also be more suitable, because that is where
> > the experts hang out.
> >
