Hi,

I was wondering how I could restrict XDM to the console in a server environment and only allow a user to login either physically at the machine or via SSH?

Thanks

Anyone at all?

I was wondering how I could restrict XDM to the console in a server environment
Not really sure what you mean by that, but if you're asking how do you block remote X sessions, you can firewall the Xserver ports and then make sure that X11Forwarding is disallowed in the sshd config. If you're really setting up a production server environ. it really shouldn't even have X/XDM installed anyway.

and only allow a user to login either physically at the machine or via SSH?
Removing any other remote login applications (telnetd, etc) except ssh would work. You can even configure your firewall to only allow incoming ssh traffic. I'd imagine you could probably use PAM as well (it can do just about anything).

I was wondering how I could restrict XDM to the console in a server environment
Not really sure what you mean by that, but if you're asking how do you block remote X sessions, you can firewall the Xserver ports and then make sure that X11Forwarding is disallowed in the sshd config. If you're really setting up a production server environ. it really shouldn't even have X/XDM installed anyway.

>> Capt_Caveman, what I meant is to only allow physical access to the system and disable all remote acccess. The only reason I wish to install XDM is that in the event that someone who is not so familar with the CLI can make basic changes if required. Is there anything I need to be aware to harden XDM and the server?
Thank you.

Blocking acess to the Xserver ports, editing the /etc/X11/xdm/Xservers file and adding -nolisten tcp to the following line:

:0 local /usr/X11R6/bin/X

In general try to reduce the number of KDE and Gnome software that is installed. You don't need stuff like camera apps or GIMP on there and they simply provide more ways someone can perform a priviledge elevation attack. Also try to avoid running X as root as much as possible. That should help, but you should really focus on overall system and kernel hardening first.

Blocking acess to the Xserver ports, editing the /etc/X11/xdm/Xservers file and adding -nolisten tcp to the following line:
:0 local /usr/X11R6/bin/X

>> Capt_Caveman, thank you. Is it possible to add the line as noted below to block all packets including udp.
:0 local /usr/X11R6/bin/X -nolisten all

Capt_Caveman,

Would my previous post be correct about dropping all incoming packets?

X will only open a tcp port for connections by default. You can test this very easily by: starting at console w/o an Xsession and type netstat -a, then start X and do the same thing. You'll notice a tcp port is opened on port 6000. You'll also see a number of internal Unix sockets established as well, though these are only accessible locally for things like connecting to the font server.

X does use udp under certain circumstances (XDMCP), however it doesn't listen for udp packets under normal circumstances. So if anyone were to send a udp packet to your machine, it would be ignored. That being said, if your system is exposed to the internet, then you should be firewalling any ports that you don't need to be remotely accessible.