Restricting Port 6000 access in Cygwin/X
Jon TURNEY
jon.turney@dronecode.org.uk
Mon Dec 9 15:27:00 GMT 2013
On 09/12/2013 14:37, Kevin Brown wrote:
> My company recently sent an audit finding requesting for our Cygwin/X users
> with a finding of the following;
>
> "The remote host is running an X11 server. X11 is a client-server protocol
> that can be used to display graphical applications running on a given host
> on a remote client. Since the X11 traffic is not ciphered, it is possible
> for an attacker to eavesdrop on the connection."
>
> The suggested solution was;
>
> "Restrict access to this port. If the X11 client/server facility is not
> used, disable TCP support in X11 entirely (-nolisten tcp)."
>
>
> My problem is that I haven't found any information that would help me
> accomplish this task. I've only recently taken over support of our Cygwin
> users and am not well versed in the software. Can this be done without
> breaking the functionality of the the software? If so, can you please
> advise on the steps to take to accomplish this?
The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.
As suggested, if you start the X server with the option '-nolisten tcp' (see
'man Xserver'), then it will not accept remote connections.
There's probably something to be said for this being the default configuration
and requiring an explicit '-listen', but historically it's been this way.
If you then need to connect to remote clients, use ssh forwarding, see [1].
[1] http://x.cygwin.com/docs/ug/using-remote-apps.html
--
Jon TURNEY
Volunteer Cygwin/X X Server maintainer
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://x.cygwin.com/docs/
FAQ: http://x.cygwin.com/docs/faq/
More information about the Cygwin-xfree
mailing list