public inbox for
help / color / mirror / Atom feed
From: Jon TURNEY <>
Subject: Re: Restricting Port 6000 access in Cygwin/X
Date: Mon, 09 Dec 2013 15:27:00 -0000	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <BAY178-W360DBF8F8D31BB19078A8881D30@phx.gbl>

On 09/12/2013 14:37, Kevin Brown wrote:
> My company recently sent an audit finding requesting for our Cygwin/X users
> with a finding of the following;
> "The remote host is running an X11 server.  X11 is a client-server protocol
> that can be used to display graphical applications running on a given host
> on a remote client.   Since the X11 traffic is not ciphered, it is possible
> for an attacker to eavesdrop on the connection."
> The suggested solution was;
> "Restrict access to this port. If the X11 client/server facility is not
> used, disable TCP support in X11 entirely (-nolisten tcp)."
> My problem is that I haven't found any information that would help me
> accomplish this task. I've only recently taken over support of our Cygwin
> users and am not well versed in the software. Can this be done without
> breaking the functionality of the the software? If so, can you please
> advise on the steps to take to accomplish this?

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

As suggested, if you start the X server with the option '-nolisten tcp' (see
'man Xserver'), then it will not accept remote connections.

There's probably something to be said for this being the default configuration
and requiring an explicit '-listen', but historically it's been this way.

If you then need to connect to remote clients, use ssh forwarding, see [1].


Volunteer Cygwin/X X Server maintainer

Unsubscribe info:
Problem reports:

      reply	other threads:[~2013-12-09 15:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-09 14:37 Kevin Brown
2013-12-09 15:27 ` Jon TURNEY [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).