X-server listening

[Uiler]

Hi!

 

I was wondering if anyone could help me with something. I'm running mandrake 9.1. I used Nmap to do a portscan of my machine and the only open ports are sunrpc and the X-server listening to the network. I don't have any servers running, not even ssh. Do these open ports constitute a security hazard?

 

Thanks!

Uiler

[MottS]

The X window system work in a server/client manner. So if you can read that, then the port is open. The security risk is when others can connect to your X window system. To know if others can connect to you, search Google about 'security test' and run one of those port scan. This way you'll know if those ports are opened, closed or stealth.

 

Good luck !

 

MOttS

[aru]

Never trust nmap when you run it in the same machine you are auditing. Because nmap will tell you all the info of your localhost through your loopback interface (skiping any firewall you have). If you have the chance, run nmap against your mancine from a computer in the outside world.

 

In the case of the port 6000 (X), I read somewhere that is secure, though if you want to disable it, follow this instructions:

 

How-to Close Port 6000 --X-- (Open by default) **From the very old board!!!** :shock:

 

I'll quote it, just to prevent another board desapearence:

 

Close Port 6000 --X-- (Open by default)

 

Error scenario: X is accepting connections by default (MDK 8.1 and previous releases). The port that is open by default is 6000/tcp. Indeed this is not an error, is just a feature of X, but for those of us that doesn't want to accept external connections is a bit annoying.

 

Solution: TCP/IP connections can be disabled with the option -nolisten tcp passed to the server. (ie "startx -- -nolisten tcp")

 

How to fix it if you login using XDM or derivates (KDM or GDM), runlevel 5:

 

Add the string -nolisten tcp to the command line in '/etc/X11/xdm/Xservers' and restart X.

 

Having restarted X, run netstat -lnA inet as 'root' and you will see that port 6000 is not listed anymore.

 

Notice that this option is set by default in Mandrake Linux 8.2.

 

More info in Closing Port 6000 (X) In Mandrake Linux 8.1 Mandrake Forum, by tom [http://www.mandrakeforum.com/article.php?sid=1912?=en]

 

I post this here, because a couple of months ago, I answer this question (in Desktop) pointing to the use of iptables since some other fixes could avoid su (root) to launch applications on a normal user display... This fix is easier  

 

For those that use GDM instead of XDM (like me), you'll need to add that string to the server section in /etc/X11/gdm/gdm.conf

_________________

Imagination is a quality given a man to compensate him for what he is not, and a sense of humor was provided to console him for what he is.

O. Wilde (of course)

 

[ This Message was edited by: arusabal on 2002-03-05 10:01 ]

[Uiler]

Thanks very much arusabal! That worked wonders!

 

Of course now unfortunately, running the netstat -lnA inet command, I see that port 32768 is running (though it doesn't show up in nmap...)

 

Any ideas?

 

tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN

[aru]

Thanks very much arusabal!  That worked wonders!

 

Of course now unfortunately, running the netstat -lnA inet command, I see that port 32768 is running (though it doesn't show up in nmap...)

 

Any ideas?

 

tcp        0      0 127.0.0.1:32768      0.0.0.0:*            LISTEN

 

if you add the -p flag to your netstat command you'll get the pid and the program name of the proccess that opened that port. In the case that netstat only shows the pid number, you can use that number to quickly know which program has that pid number (using ps).

 

For example (step by step :P):

After issuing your command I've noticed that I have the port 3306 listening something, and I wonder why, so I can do something like this:

 

~# netstat -lnpA inet | egrep "PID|3306"

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      8418/               

~# ps aux | grep "[8]418"

mysql     8418  0.0  1.9 27048 4992 ?        S    Apr26   0:00 [mysqld]

~#

 

See, it was opened by mysqld

[Uiler]

Hi!

 

Thanks! I tried it and now it seems that it has disappeared though now there is a "new" unexplained "service":

 

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

udp 0 0 0.0.0.0:852 0.0.0.0:* 1524/xinetd

 

it seems that "xinetd" is listening at that port. From the man file, "xinetd" is something which handles network connections (which doesn't provide much enlightenment...).

 

The specific xinetd command it is running (from the pid) is

 

xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid

 

which as far as I can work out from the man file just means that xinetd is running. It doesn't really tell much about what specific service xinetd is controlling that is listening at that port.

 

I've been doing a google search on 32768 and I really can't come up with much. People seem to use it for different things (I've seen ssh, kde amongst other candidates). One suggestion I saw is that it may actually be listening to localhost.

[Relic2K]

Hi!

 

I was wondering if anyone could help me with something.  I'm running mandrake 9.1.   I used Nmap to do a portscan of my machine and the only open ports are sunrpc and the X-server listening to the network.  I don't have any servers running, not even ssh. Do these open ports constitute a security hazard?

 

Thanks!

Uiler

 

An open port is only a security risk, if there is a known vulerability and the services are not properly patched against a possible exploit in the service. Yes there has been a few against both X and RPC. General rule of thumb is that is you don't require the service to be running, then disable the ports, and use a firewall to control the incoming requests to these services. Cheers