Question & Answer
Question
How do you disable TCPIP ports listened on by the X11 X Server?
Cause
Some security scanning tools flag port 6000 (or other 6nnn ports) because access to that port is not restricted, and the X11 protocol is not encrypted unless it is used with SSH.
Answer
TERMINOLOGY:
X server: Provides the services of the hardware devices to the client applications. These services include access, through the keyboard, mouse, and monitor, to the X user. The X server is on the machine where the physical display is attached.
X clients: The X11 apps invoked on a remote or local X11 client machine (for example, xclock and xterm). The X client can be run on, and displayed to the same system as the X server, or it can be exported to a remote display.
DISPLAY: The environment variable that instructs the X client (xlib) which X server display to connect to:
Some X Window servers support a "-nolisten" or similar option, which turns off the X server from listening to TCP ports. This option is not supported in the AIX X server. However, there is a "-secIP xxx" option, which provides a similar function.
Remote connections to the Xserver may be made using SSH with X11 Forwarding enabled while TCP ports are disabled using -secIP.
X server: Provides the services of the hardware devices to the client applications. These services include access, through the keyboard, mouse, and monitor, to the X user. The X server is on the machine where the physical display is attached.
X clients: The X11 apps invoked on a remote or local X11 client machine (for example, xclock and xterm). The X client can be run on, and displayed to the same system as the X server, or it can be exported to a remote display.
DISPLAY: The environment variable that instructs the X client (xlib) which X server display to connect to:
- DISPLAY Formats:
D=The display number (usually 0)
S=The screen number. A display can have multiple screens. Each screen requires a graphics card. Usually there is only one screen. 0 is the default value. If no screen number is specified, the screen value defaults to 0.
DISPLAY=hostname:D.S: Xserver is listening on TCP port 6000+D and uses TCP sockets.
DISPLAY=unix:D.S: X server is listening at UNIX domain socket /tmp/.X11-unix/XD on host.
DISPLAY=:D.S Xserver uses Shared Memory Transport (SMT) layer.
The display number (D) to be used depends on the display number used to start the X server. This number can be displayed by examining the ps output.
Example:
$ ps -ef |grep bin/X
hullmann 6750330 18481320 0 15:16:11 pts/0 0:00 grep bin/X
root 6946890 2883678 0 Dec 11 - 0:07 /usr/lpp/X11/bin/X -x abx -x dbe -x GLX -D /usr/lib/X11/rgb -T -force :0 -auth /var/dt/A:0-0elaaa
For more information, see /usr/lpp/X11/README.SMT
PROCEDURES:
Some X Window servers support a "-nolisten" or similar option, which turns off the X server from listening to TCP ports. This option is not supported in the AIX X server. However, there is a "-secIP xxx" option, which provides a similar function.
The following is extracted from the man page for the X command:
-secIP [PermissionCode] Sets local access control on the internet socket. The PermissionCode is 3 octal digits which can set read, write, and execute bits. If no PermissionCode is specified after a security flag, then permission is defaulted to 0 for that socket.
If no number follows the -secIP option it effectively turns off the Xserver from listening to TCP ports.
A side effect of this action is that interprocess communications using TCP sockets between user applications and the Xserver will also be disabled. An alternative socket protocol must be used.
The transport mechanism is specified through the DISPLAY environment variable.
- SMT sockets -
DISPLAY=:D.S
- UNIX domain sockets -
DISPLAY=unix:D.S
- TCP/IP sockets -
DISPLAY=<hostname>:D.S
(See /usr/lpp/X11/README.SMT for more information.)
Examples:
-secIP [PermissionCode] Sets local access control on the internet socket. The PermissionCode is 3 octal digits which can set read, write, and execute bits. If no PermissionCode is specified after a security flag, then permission is defaulted to 0 for that socket.
If no number follows the -secIP option it effectively turns off the Xserver from listening to TCP ports.
A side effect of this action is that interprocess communications using TCP sockets between user applications and the Xserver will also be disabled. An alternative socket protocol must be used.
The transport mechanism is specified through the DISPLAY environment variable.
- SMT sockets -
DISPLAY=:D.S
- UNIX domain sockets -
DISPLAY=unix:D.S
- TCP/IP sockets -
DISPLAY=<hostname>:D.S
(See /usr/lpp/X11/README.SMT for more information.)
Examples:
- export DISPLAY=:0.0 => allows communication with display 0, screen 0, using SMT sockets
- export DISPLAY=unix:5 => allows communication with display 5, screen 0, using unix sockets
- export DISPLAY=<hostname>:10.1 => allows communications with display 10, screen 1, using TCP sockets on port 6010
Remote connections to the Xserver may be made using SSH with X11 Forwarding enabled while TCP ports are disabled using -secIP.
Related Information
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
15 September 2021
UID
isg3T1026701