adding "-nolisten tcp" to X11/GDM startup

[labuss]

Hi folks
A Nessus scan flagged this as a vulnerability;
------------------------------------------------
10407 - X Server Detection
Synopsis
An X11 server is listening on the remote host
Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client.

Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.
Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp).
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Published: 2000/05/12, Modified: 2013/01/25
Plugin Output
tcp/6000

X11 Version : 11.0
------------------------------------------------

i've checked out /etc/gdm/custom.conf and there are no settings configured but when I run netstat I can still see port 6000 (X11) listening. This system is a standalone workstation that will not have to connect to another machine for display purposes so disabling XDMCP is fine.

I thought about adding "-nolisten tcp" to the X11 startup but cannot seem to locate the right config file for this.

Would anyone be able to point me in the right direction on the best way to handle this? Firewalld? etc?

Thanks
-LB

[labuss]

Appears this is a current bug. Reference Red Hat Bugzilla 1647621

No matter what options you place in /etc/gdm/custom.conf they are ignored.

Kudos Andrew Galford, end poster in 1647621 comments, for a workaround. #!/bin/bash

/usr/bin/X

#!/bin/bash
exec /usr/bin/Xorg "$@" -nolisten tcp
exit 0

Another work around, and some may prefer this over the above, is to configure firewalld to block/regulate all inbound access to port 6000.

Cheers
-LB