From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5737 invoked by alias); 9 Dec 2013 15:27:57 -0000 Mailing-List: contact cygwin-xfree-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-xfree-owner@cygwin.com Reply-To: cygwin-xfree@cygwin.com Mail-Followup-To: cygwin-xfree@cygwin.com Received: (qmail 5726 invoked by uid 89); 9 Dec 2013 15:27:56 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-HELO: smtpout04.bt.lon5.cpcloud.co.uk Received: from Unknown (HELO smtpout04.bt.lon5.cpcloud.co.uk) (65.20.0.124) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 09 Dec 2013 15:27:55 +0000 X-CTCH-RefID: str=0001.0A090206.52A5E172.00AA,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-Junkmail-Premium-Raw: score=28/97,refid=2.7.2:2013.11.17.202114:17:28.905,ip=86.174.32.56,rules=__MOZILLA_MSGID, __HAS_MSGID, __SANE_MSGID, __HAS_FROM, __HAS_REPLYTO, __USER_AGENT, __MOZILLA_USER_AGENT, __MIME_VERSION, __TO_MALFORMED_2, __TO_NO_NAME, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, __ANY_URI, URI_ENDS_IN_HTML, __URI_NO_MAILTO, __URI_NO_WWW, __CP_URI_IN_BODY, __SUBJ_ALPHA_NEGATE, __FORWARDED_MSG, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_1600_1699, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, __URI_NS, SXL_IP_DYNAMIC[56.32.174.86.fur], HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, RDNS_SUSP, BODY_SIZE_2000_LESS, REPLYTO_FROM_DIFF_ADDY, BODY_SIZE_7000_LESS X-CTCH-Spam: Unknown Received: from [192.168.1.72] (86.174.32.56) by smtpout04.bt.lon5.cpcloud.co.uk (8.6.100.99.10223) (authenticated as jonturney@btinternet.com) id 527ECB5101E6D4CE; Mon, 9 Dec 2013 15:27:46 +0000 Message-ID: <52A5E17B.7010705@dronecode.org.uk> Date: Mon, 09 Dec 2013 15:27:00 -0000 From: Jon TURNEY Reply-To: cygwin-xfree User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: cygwin-xfree@cygwin.com CC: cre8tivspirit@live.com Subject: Re: Restricting Port 6000 access in Cygwin/X References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SW-Source: 2013-12/txt/msg00003.txt.bz2 On 09/12/2013 14:37, Kevin Brown wrote: > My company recently sent an audit finding requesting for our Cygwin/X users > with a finding of the following; > > "The remote host is running an X11 server. X11 is a client-server protocol > that can be used to display graphical applications running on a given host > on a remote client. Since the X11 traffic is not ciphered, it is possible > for an attacker to eavesdrop on the connection." > > The suggested solution was; > > "Restrict access to this port. If the X11 client/server facility is not > used, disable TCP support in X11 entirely (-nolisten tcp)." > > > My problem is that I haven't found any information that would help me > accomplish this task. I've only recently taken over support of our Cygwin > users and am not well versed in the software. Can this be done without > breaking the functionality of the the software? If so, can you please > advise on the steps to take to accomplish this? The usual caveat applies: if you have an actual need for security, a random person on the internet is not where you should be getting your information. As suggested, if you start the X server with the option '-nolisten tcp' (see 'man Xserver'), then it will not accept remote connections. There's probably something to be said for this being the default configuration and requiring an explicit '-listen', but historically it's been this way. If you then need to connect to remote clients, use ssh forwarding, see [1]. [1] http://x.cygwin.com/docs/ug/using-remote-apps.html -- Jon TURNEY Volunteer Cygwin/X X Server maintainer -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://x.cygwin.com/docs/ FAQ: http://x.cygwin.com/docs/faq/