HPE Community
Operating System - HP-UX
1850488 Members
3730 Online
104054 Solutions
New Discussion

Re: Disabling X windows services

 
SOLVED
Go to solution
Ian Foster_2
Frequent Advisor

‎03-16-2005 01:16 AM

‎03-16-2005 01:16 AM

Disabling X windows services

In the course of locking down our servers we have been asked to ensure the x services are secure - including disabling the service altogether on systems where it is not really required.

What's the best way to actually disable the service completely ?

Already looked at /etc/services and /etc/inetd.conf.
0 Kudos
9 REPLIES 9
Robert-Jan Goossens_1
Honored Contributor

‎03-16-2005 01:28 AM

‎03-16-2005 01:28 AM

Re: Disabling X windows services

Hi,

Are you referring to CDE ?

# dtconfig -d

Check the manual page.

Hope this helps,
Robert-Jan
0 Kudos
Steven E. Protter
Exalted Contributor

‎03-16-2005 01:38 AM

‎03-16-2005 01:38 AM

Re: Disabling X windows services

Block port 7000 on the firewall

vi /etc/rc.confg.d/xfs

change the first variable to 0, this stops the font server for starting.

/sbin/init.d/xfs stop

done

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Ian Foster_2
Frequent Advisor

‎03-16-2005 01:42 AM

‎03-16-2005 01:42 AM

Re: Disabling X windows services

I am reffering to anything which would use port 6000 for any xwindows type session eg. Reflections-X.

Does this just stop CDE or all x emulator type services ?

Also looks like this would take a reboot to implement ?
0 Kudos
TwoProc
Honored Contributor

‎03-16-2005 01:52 AM

‎03-16-2005 01:52 AM

Solution

Re: Disabling X windows services

Ian, I'd be careful on this...
While the dtlogin server IS something you can shut off; your HP server is probably not *really* an X server. Your client workstation (Reflection X) is the actual X server. And that's where your security lay...

You can check out the list of x-servers allowed in your xhosts file though (man xhosts).

But, what I'm getting at is if you start cutting much more stuff - then you'll not be able to run any programs from your HP which require/want an x-display server (your PC with ReflectionsX for example) to display on.

You won't be able to run Glance, SAM, xstm, swinstall (in gui mode), etc. But these things all run b/c there exists an Xserver on your desktop - not b/c there exists an Xserver on your HP server...

So, you can stop CDE, but are you sure you mean to stop all X type traffic going in and out of the box?
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Robert-Jan Goossens_1
Honored Contributor

‎03-16-2005 01:58 AM

‎03-16-2005 01:58 AM

Re: Disabling X windows services

No for /usr/dt/bin/dtconfig you do not need a reboot. This is the easiest methode for disabling CDE. Check also next doc (in reverse order :-)

Document description: Setting up to run CDE and HP-UX applications with Reflection X.
Document id: KBRC00000052

http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000076457539

Hope this helps,
Robert-Jan
0 Kudos
Ian Foster_2
Frequent Advisor

‎03-16-2005 02:02 AM

‎03-16-2005 02:02 AM

Re: Disabling X windows services

I agree - that's exactly what they are asking us to do - stop ALL x-type traffic to/from the box. I think it's security gone mad and not suprisingly we have only been able to identify two systems we can do this on without breaking some kind of functionality that the client requires.

Somebody has suggested that this can simply be achieved by stopping the listening on netwrok port 6000 but I'm not convinced.
0 Kudos
TwoProc
Honored Contributor

‎03-16-2005 02:38 AM

‎03-16-2005 02:38 AM

Re: Disabling X windows services

Ian, other than removing all x-windows programs from the box - I don't think so. Even if port 6000 is shut - I can use "ssh -X" to get a tunnel to push X windows traffic through, and you're security guy will tell that you're *supposed* to use ssh. OK, now you've gotta take ssh out! Using that I see that I'm connected to my server on port 33088 and that changes w/ every new ssh command...

You could run swremove and get rid of all of the X packages - that would do it for sure.

Wait a minute, I know how, unplug it from the LAN... :-)
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Ian Foster_2
Frequent Advisor

‎03-16-2005 03:06 AM

‎03-16-2005 03:06 AM

Re: Disabling X windows services

Thanks guys - I think we're going to settle for checking out xhosts. I think there are plenty of other areas we should be worrying about tightening down without resorting to hacking about at the OS unnecessarily this way.
0 Kudos
Ian Foster_2
Frequent Advisor

‎03-16-2005 03:10 AM

‎03-16-2005 03:10 AM

Re: Disabling X windows services

Make it secure without resorting to hacking at the functionality - I guess.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.