HPE Community
Operating System - Linux
1752272 Members
5235 Online
108786 Solutions
New Discussion юеВ

Re: To disbale X11 service on linux box.

 
SOLVED
Go to solution
HP-UX_Ali
Regular Advisor

тАО04-17-2010 11:40 PM

тАО04-17-2010 11:40 PM

To disbale X11 service on linux box.

Dear All,
Kindly let me know how to disable the X11 service & port for security reason.

Pls confirm ASAP.
0 Kudos
16 REPLIES 16
Nido
Trusted Contributor

тАО04-18-2010 02:35 AM

тАО04-18-2010 02:35 AM

Re: To disbale X11 service on linux box.

Don't go to run-level5.
set initdefault to 3.

check `man init`.

Cheers!!
" Let Villagers Be Happy!! "
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-18-2010 02:55 AM

тАО04-18-2010 02:55 AM

Solution

Re: To disbale X11 service on linux box.

In most modern Linux distributions, the TCP port of the local X11 server is already disabled by default, by starting the X11 server with the option "-nolisten tcp". That makes it accessible only locally (using the Unix socket in /tmp/.X11-unix) or using a secure X11 forwarding service like SSH.

To disable the X11 service, shutdown the display manager (gdm/kdm/xdm/*dm) and prevent it from starting at system boot.
This also means there won't be a GUI login dialog on the console, only a text-mode login prompt.

The exact steps to do it? That depends on which Linux distribution you're using.

In RedHat and related distributions, this is usually done by changing the default run level from 5 to 3. This is controlled by the "initdefault" line in /etc/inittab.

Change this line:
id:5:initdefault:

to this:
id:3:initdefault:

Be very careful when editing /etc/inittab: a typo could make your system unable to complete the boot sequence.

After changing the default runlevel value, you can transition the system to the new runlevel immediately by using the "telinit 3" command. Or you might want to reboot the system, to make sure your change works as intended.

In Debian and related distributions, one way to disable the X11 server would be to change the value in the /etc/X11/default-display-manager file to anything that is not a valid display manager pathname, e.g. to "none".

MK
MK
0 Kudos
HP-UX_Ali
Regular Advisor

тАО04-18-2010 08:59 PM

тАО04-18-2010 08:59 PM

Re: To disbale X11 service on linux box.

Hi Mutti,

Below is the server/os details.
Linux hostname 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:56:44 EST 2007 x86_64 x86_64 x86_64 GNU/Linux

I dont think changing run level will be the good idea. I just want to disable the X11 service in particular server. In other servers the run level is 5 but the service is disbaled. i dont remember how it is disabled in other servers.

Kindly confirm...Thanks
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-18-2010 11:08 PM

тАО04-18-2010 11:08 PM

Re: To disbale X11 service on linux box.

By the kernel version number, this is most likely a RedHat Enterprise Linux 4 system. Please check with "cat /etc/redhat-release" to confirm.

In a standard RedHat system, the only difference between runlevels 3 and 5 is that runlevel 5 runs the X11 server and runlevel 3 doesn't. Changing the runlevel *is* the standard way to disable the X11 server on a RedHat system.

See this RedHat Knowledge Base document if you don't believe me:
http://kbase.redhat.com/faq/docs/DOC-1966

If your system is running on runlevel 5 and has the X11 server disabled, it has a locally-customized configuration. Only you and other people at your site may know what has been done to customize it.

MK
MK
0 Kudos
HP-UX_Ali
Regular Advisor

тАО04-19-2010 02:28 AM

тАО04-19-2010 02:28 AM

Re: To disbale X11 service on linux box.

HI Matti

Thanks for your input, its not a matter of believe. i respect your solutions provided to me and also you are more experience than me.

The only thing is our management will not agree to it bringing down to run level 3. they want the solution without bringing run level to 3.

If any solution other than this.. pls let me know. i have already forwarded the solution provided by you.

Thanks & regards...
0 Kudos
Matti_Kurkela
Honored Contributor

тАО04-19-2010 05:16 AM

тАО04-19-2010 05:16 AM

Re: To disbale X11 service on linux box.

If the bosses are so knowledgeable, why don't they give you the solution too? :-)
Just kidding...

OK, now I've had the chance to check how a RHEL 4 system starts up the X11 service.

The very last lines of /etc/inittab are:
-----
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
-----

If you comment out the last line (the one that executes /etc/X11/prefdm), and then run "telinit q" to make the init process read /etc/inittab again, then it will no longer start the X11 service.


/etc/X11/prefdm is a script that starts the display manager chosen with the /etc/sysconfig/desktop file.

If /etc/sysconfig/desktop does not exist or does not have a valid value, the script would try to start gdm, kdm or xdm (in this order). Making the /etc/X11/prefdm script or all the /usr/bin/?dm files non-executable would also prevent the X11 service from starting, but would also cause init to emit useless error messages to system log ("x is respawning too often; disabled for 5 minutes").

MK
MK
0 Kudos
Steven Schweda
Honored Contributor

тАО04-19-2010 05:23 AM

тАО04-19-2010 05:23 AM

Re: To disbale X11 service on linux box.

> In other servers the run level is 5 but the
> service is disbaled.

> they want the solution without bringing run
> level to 3.

Then perhaps you should try to figure out how
it was done on these "other servers". You
seem to be in a better position than anyone
else to explore the start-up scripts on these
systems. My psychic powers are much too weak
to show me how your systems are configured.

As I recall, "diff" works over NFS, so it
should be relatively easy to compare the
relevant files between two similar systems.
0 Kudos
HP-UX_Ali
Regular Advisor

тАО04-19-2010 09:37 AM

тАО04-19-2010 09:37 AM

Re: To disbale X11 service on linux box.

Hi Mutti,

Thanks for the solution..and good one.. thats is why they call bosses. if we take up any solution , they will ask for another solutions too (why this ? or why this not?) but finally no solutions.. it happens.....

by the way thanks for the solution.. i will try this out and let you know..

Dear Steve

Thanks for the reply but i have joined this organisation after such changes was done.. I have compared the /etc/inittab file but both are running in run level 5. but telnet is happening with port 6001 to the affected box and not happening to other linux box. this activity came after security team analysis and if any other files to be compare kindly let me know..

Really appreciate for all your responses.

Thanks
regards

0 Kudos
Steven Schweda
Honored Contributor

тАО04-19-2010 10:04 AM

тАО04-19-2010 10:04 AM

Re: To disbale X11 service on linux box.

> [...] i have joined this organisation after
> such changes was done..

But the changes are still there. All you
need to do is find them.

> I have compared the /etc/inittab file [...]

Have you looked at all the start-up scripts?

> [...] but telnet is happening with port
> 6001 [...]

6001? Wouldn't the normal X server normally
be listening at port 6000?

Perhaps you should try using lsof to see
who's actually listening at port 6001.
And/or netstat, to see all the ports which
are active.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.