Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was wondering how I could restrict XDM to the console in a server environment and only allow a user to login either physically at the machine or via SSH?
I was wondering how I could restrict XDM to the console in a server environment
Not really sure what you mean by that, but if you're asking how do you block remote X sessions, you can firewall the Xserver ports and then make sure that X11Forwarding is disallowed in the sshd config. If you're really setting up a production server environ. it really shouldn't even have X/XDM installed anyway.
and only allow a user to login either physically at the machine or via SSH?
Removing any other remote login applications (telnetd, etc) except ssh would work. You can even configure your firewall to only allow incoming ssh traffic. I'd imagine you could probably use PAM as well (it can do just about anything).
I was wondering how I could restrict XDM to the console in a server environment
Not really sure what you mean by that, but if you're asking how do you block remote X sessions, you can firewall the Xserver ports and then make sure that X11Forwarding is disallowed in the sshd config. If you're really setting up a production server environ. it really shouldn't even have X/XDM installed anyway.
>> Capt_Caveman, what I meant is to only allow physical access to the system and disable all remote acccess. The only reason I wish to install XDM is that in the event that someone who is not so familar with the CLI can make basic changes if required. Is there anything I need to be aware to harden XDM and the server?
Thank you.
Blocking acess to the Xserver ports, editing the /etc/X11/xdm/Xservers file and adding -nolisten tcp to the following line:
:0 local /usr/X11R6/bin/X
In general try to reduce the number of KDE and Gnome software that is installed. You don't need stuff like camera apps or GIMP on there and they simply provide more ways someone can perform a priviledge elevation attack. Also try to avoid running X as root as much as possible. That should help, but you should really focus on overall system and kernel hardening first.
X will only open a tcp port for connections by default. You can test this very easily by: starting at console w/o an Xsession and type netstat -a, then start X and do the same thing. You'll notice a tcp port is opened on port 6000. You'll also see a number of internal Unix sockets established as well, though these are only accessible locally for things like connecting to the font server.
X does use udp under certain circumstances (XDMCP), however it doesn't listen for udp packets under normal circumstances. So if anyone were to send a udp packet to your machine, it would be ignored. That being said, if your system is exposed to the internet, then you should be firewalling any ports that you don't need to be remotely accessible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.