Restricting Port 6000 access in Cygwin/X

Restricting Port 6000 access in Cygwin/X

[Kevin Brown]

My company recently sent an audit finding requesting for our Cygwin/X users with a finding of the following;
 
"The remote host is running an X11 server.  X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client.   Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection."
 
The suggested solution was;
 
"Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp)."
 
 
My problem is that I haven't found any information that would help me accomplish this task. I've only recently taken over support of our Cygwin users and am not well versed in the software. Can this be done without breaking the functionality of the the software? If so, can you please advise on the steps to take to accomplish this?
 
Current version being used is 1.7.11-1.

Thanks,
Kevin E. Brown

Soli Deo Gloria! 		 	   		  
--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/

Re: Restricting Port 6000 access in Cygwin/X

[Jon TURNEY]

On 09/12/2013 14:37, Kevin Brown wrote:
> My company recently sent an audit finding requesting for our Cygwin/X users
> with a finding of the following;
> 
> "The remote host is running an X11 server.  X11 is a client-server protocol
> that can be used to display graphical applications running on a given host
> on a remote client.   Since the X11 traffic is not ciphered, it is possible
> for an attacker to eavesdrop on the connection."
> 
> The suggested solution was;
> 
> "Restrict access to this port. If the X11 client/server facility is not
> used, disable TCP support in X11 entirely (-nolisten tcp)."
> 
> 
> My problem is that I haven't found any information that would help me
> accomplish this task. I've only recently taken over support of our Cygwin
> users and am not well versed in the software. Can this be done without
> breaking the functionality of the the software? If so, can you please
> advise on the steps to take to accomplish this?

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

As suggested, if you start the X server with the option '-nolisten tcp' (see
'man Xserver'), then it will not accept remote connections.

There's probably something to be said for this being the default configuration
and requiring an explicit '-listen', but historically it's been this way.

If you then need to connect to remote clients, use ssh forwarding, see [1].

[1] http://x.cygwin.com/docs/ug/using-remote-apps.html

-- 
Jon TURNEY
Volunteer Cygwin/X X Server maintainer

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/