System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

To disbale X11 service on linux box.

 
SOLVED
Go to solution
HP-UX_Ali
Regular Advisor

To disbale X11 service on linux box.

Dear All,
Kindly let me know how to disable the X11 service & port for security reason.

Pls confirm ASAP.
16 REPLIES
Nido
Trusted Contributor

Re: To disbale X11 service on linux box.

Don't go to run-level5.
set initdefault to 3.

check `man init`.

Cheers!!
" Let Villagers Be Happy!! "
Matti_Kurkela
Honored Contributor
Solution

Re: To disbale X11 service on linux box.

In most modern Linux distributions, the TCP port of the local X11 server is already disabled by default, by starting the X11 server with the option "-nolisten tcp". That makes it accessible only locally (using the Unix socket in /tmp/.X11-unix) or using a secure X11 forwarding service like SSH.

To disable the X11 service, shutdown the display manager (gdm/kdm/xdm/*dm) and prevent it from starting at system boot.
This also means there won't be a GUI login dialog on the console, only a text-mode login prompt.

The exact steps to do it? That depends on which Linux distribution you're using.

In RedHat and related distributions, this is usually done by changing the default run level from 5 to 3. This is controlled by the "initdefault" line in /etc/inittab.

Change this line:
id:5:initdefault:

to this:
id:3:initdefault:

Be very careful when editing /etc/inittab: a typo could make your system unable to complete the boot sequence.

After changing the default runlevel value, you can transition the system to the new runlevel immediately by using the "telinit 3" command. Or you might want to reboot the system, to make sure your change works as intended.

In Debian and related distributions, one way to disable the X11 server would be to change the value in the /etc/X11/default-display-manager file to anything that is not a valid display manager pathname, e.g. to "none".

MK
MK
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

Hi Mutti,

Below is the server/os details.
Linux hostname 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:56:44 EST 2007 x86_64 x86_64 x86_64 GNU/Linux

I dont think changing run level will be the good idea. I just want to disable the X11 service in particular server. In other servers the run level is 5 but the service is disbaled. i dont remember how it is disabled in other servers.

Kindly confirm...Thanks
Matti_Kurkela
Honored Contributor

Re: To disbale X11 service on linux box.

By the kernel version number, this is most likely a RedHat Enterprise Linux 4 system. Please check with "cat /etc/redhat-release" to confirm.

In a standard RedHat system, the only difference between runlevels 3 and 5 is that runlevel 5 runs the X11 server and runlevel 3 doesn't. Changing the runlevel *is* the standard way to disable the X11 server on a RedHat system.

See this RedHat Knowledge Base document if you don't believe me:
http://kbase.redhat.com/faq/docs/DOC-1966

If your system is running on runlevel 5 and has the X11 server disabled, it has a locally-customized configuration. Only you and other people at your site may know what has been done to customize it.

MK
MK
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

HI Matti

Thanks for your input, its not a matter of believe. i respect your solutions provided to me and also you are more experience than me.

The only thing is our management will not agree to it bringing down to run level 3. they want the solution without bringing run level to 3.

If any solution other than this.. pls let me know. i have already forwarded the solution provided by you.

Thanks & regards...
Matti_Kurkela
Honored Contributor

Re: To disbale X11 service on linux box.

If the bosses are so knowledgeable, why don't they give you the solution too? :-)
Just kidding...

OK, now I've had the chance to check how a RHEL 4 system starts up the X11 service.

The very last lines of /etc/inittab are:
-----
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon
-----

If you comment out the last line (the one that executes /etc/X11/prefdm), and then run "telinit q" to make the init process read /etc/inittab again, then it will no longer start the X11 service.


/etc/X11/prefdm is a script that starts the display manager chosen with the /etc/sysconfig/desktop file.

If /etc/sysconfig/desktop does not exist or does not have a valid value, the script would try to start gdm, kdm or xdm (in this order). Making the /etc/X11/prefdm script or all the /usr/bin/?dm files non-executable would also prevent the X11 service from starting, but would also cause init to emit useless error messages to system log ("x is respawning too often; disabled for 5 minutes").

MK
MK
Steven Schweda
Honored Contributor

Re: To disbale X11 service on linux box.

> In other servers the run level is 5 but the
> service is disbaled.

> they want the solution without bringing run
> level to 3.

Then perhaps you should try to figure out how
it was done on these "other servers". You
seem to be in a better position than anyone
else to explore the start-up scripts on these
systems. My psychic powers are much too weak
to show me how your systems are configured.

As I recall, "diff" works over NFS, so it
should be relatively easy to compare the
relevant files between two similar systems.
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

Hi Mutti,

Thanks for the solution..and good one.. thats is why they call bosses. if we take up any solution , they will ask for another solutions too (why this ? or why this not?) but finally no solutions.. it happens.....

by the way thanks for the solution.. i will try this out and let you know..

Dear Steve

Thanks for the reply but i have joined this organisation after such changes was done.. I have compared the /etc/inittab file but both are running in run level 5. but telnet is happening with port 6001 to the affected box and not happening to other linux box. this activity came after security team analysis and if any other files to be compare kindly let me know..

Really appreciate for all your responses.

Thanks
regards

Steven Schweda
Honored Contributor

Re: To disbale X11 service on linux box.

> [...] i have joined this organisation after
> such changes was done..

But the changes are still there. All you
need to do is find them.

> I have compared the /etc/inittab file [...]

Have you looked at all the start-up scripts?

> [...] but telnet is happening with port
> 6001 [...]

6001? Wouldn't the normal X server normally
be listening at port 6000?

Perhaps you should try using lsof to see
who's actually listening at port 6001.
And/or netstat, to see all the ports which
are active.
Steven E. Protter
Exalted Contributor

Re: To disbale X11 service on linux box.

Shalom,

even at run level 5, if you stopped the xfs service your system would stop listening on X.

You could in addition set up iptables firewall rules to further protect your system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

Hi All,

After commenting a line /etc/inittab X server still listening .....

Pls advice...

Thanks

Regards
TTr
Honored Contributor

Re: To disbale X11 service on linux box.

> After commenting a line /etc/inittab X server still listening .....

Did you run "telinit q" after commenting out the line in /etc/inittab as Matti pointed out? Commenting out the line in /etc/inittab is not enough.
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

Yes telinit -q has been done...
as port 6001 was referring to xvnc service. i have stopped the service and killed the process for port listening to 6001. as of now port is not listening. but if there is any chance after reboot again it will up.

Kindly confirm.... if yes what is to be done permanently.

Thanks.
Steven Schweda
Honored Contributor

Re: To disbale X11 service on linux box.

> [...] i have stopped the service [...]

How, exactly? As usual, it might help if you
showed the actual commands you used instead
of giving us vague descriptions and
interpretations of what you think was
supposed to happen when you did whatever you
actually did.

> [...] but if there is any chance after
> reboot again it will up.

Where in the start-up scripts was this "xvnc
service" started? If you didn't change
anything in the start-up sequence, then I'd
expect the thing to be started again at the
next system boot.

> [...] what is to be done permanently.

That's a question????

Find out where in the system start-up scripts
this thing gets started. Then disable that
script somehow. The details of how to do
that may depend on which kind of "linux box"
you have, and which script does what how.
With my weak psychic powers, I can't see any
of your start-up scripts.
Matti_Kurkela
Honored Contributor

Re: To disbale X11 service on linux box.

If that VNC server has been installed using a RedHat standard package, it should be visible in the output of "chkconfig --list" as "vncserver". If the output says "on" at the runlevel 5 column, then vncserver has been configured to start automatically at system boot.

To prevent the vncserver from starting at system boot, run "chkconfig vncserver off".

By the way, all RedHat-packaged services that are controlled by xinetd or standard System V init scripts can be enabled or disabled using "chkconfig ". This feature can easily be extended to custom services too, by adding two specially-defined comment field to the appropriate init scripts.

Although simply killing the Xvnc server is a valid way to shut it down, there is a command for starting/stopping any services based on System V init scripts: "service ". This takes effect immediately, but does not change whether the service will be restarted at reboot or not.

See "man chkconfig" and "man service". These are basic RedHat configuration commands; as a sysadmin, you are expected to understand these commands.

MK
MK
HP-UX_Ali
Regular Advisor

Re: To disbale X11 service on linux box.

Hi Matti

Thank you very much matti. your brief explanation helped me a lot and resloved the issue.
full marks to you.... :)

Hence closing above thread.