Re: Restricting Port 6000 access in Cygwin/X

[Jon TURNEY <jon.turney@dronecode.org.uk>]

On 09/12/2013 14:37, Kevin Brown wrote:
> My company recently sent an audit finding requesting for our Cygwin/X users
> with a finding of the following;
> 
> "The remote host is running an X11 server.  X11 is a client-server protocol
> that can be used to display graphical applications running on a given host
> on a remote client.   Since the X11 traffic is not ciphered, it is possible
> for an attacker to eavesdrop on the connection."
> 
> The suggested solution was;
> 
> "Restrict access to this port. If the X11 client/server facility is not
> used, disable TCP support in X11 entirely (-nolisten tcp)."
> 
> 
> My problem is that I haven't found any information that would help me
> accomplish this task. I've only recently taken over support of our Cygwin
> users and am not well versed in the software. Can this be done without
> breaking the functionality of the the software? If so, can you please
> advise on the steps to take to accomplish this?

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

As suggested, if you start the X server with the option '-nolisten tcp' (see
'man Xserver'), then it will not accept remote connections.

There's probably something to be said for this being the default configuration
and requiring an explicit '-listen', but historically it's been this way.

If you then need to connect to remote clients, use ssh forwarding, see [1].

[1] http://x.cygwin.com/docs/ug/using-remote-apps.html

-- 
Jon TURNEY
Volunteer Cygwin/X X Server maintainer

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/