Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

X server security

The problem

If you are running an X server, such as X-Win32, XFree86, or other server software, any client that can connect to your server is able to monitor your keystrokes and perform other (possibly malicious) actions. This means that, if you do not enforce any type of access control for such clients, anyone on the internet can potentially see what you are typing at xterms or other X clients (note that they will not be able to see what you type at non-X Windows clients such as Internet Explorer). The SCS network is occasionally scanned for such "open" X servers by would-be intruders, who then connect to those servers with the intent of snooping passwords and breaking into SCS hosts.

One other thing to note is that X network traffic is not encrypted (unless you use SSH forwarding or some other means to tunnel the traffic). This means that anyone who can snoop on the network connection between the client and server hosts can see keystrokes and other information. While this is a risk, it is much less of a risk than not having access control on your X server.

How to protect yourself

If you are using X-Win32 on a Windows PC

The easiest way to protect yourself is to:

  1. Go to the Start menu and select:
    Programs > X-Win32 > X-Config
    Note that there may be a version number after "X-Win32". Alternatively, you can right click the X-Win32 icon in the taskbar and select X-config
  2. Select the Security tab
  3. Check the box labeled Access Control

After this is done, you should receive a pop-up confirmation box such as the one below whenever a host tries to connect:

X-Win32 connection popup

You can add a host to the local access list on the security tab if you wish to avoid being prompted every time you get a connection from that particular host. Note: If you disable this prompting, anyone on that host will be able to silently connect to your X server and snoop your keystrokes.

If you are using a Unix X server

The main thing to remember: whatever you do, do not do a "xhost +", since that command will let anyone on the internet connect to your X server. If you must use xhost for some reason (but see below for alternatives), use xhost to allow access for a particular machine just long enough to start up your client(s), then remove the access right after the clients have started up (changes in X access permissions do not affect existing connections).

Instead of xhost, you should use the X forwarding feature of SSH for X access control and security. See the ssh man page for details on how to do so. Note that by default, the X server on Facilitized Redhat 9 hosts is configured to not listen on external ports. If using SSH is not practical, you can use Xauth. See the xauth man page for details, or this Remote X Apps mini-HOWTO (off-site link, will open in a new window).