Computer Insecurity

From BNL Physics Computing

There are certain common pitfalls in securing computer systems.

Open X11 Servers

X11 or "X-windows" X-servers (ie, the program that provides your X display) can be easily run in a very insecure manner. This is refered to as "open X11" or "xhost +" (typing xhost + is one way to turn on the vulnerability, don't do this). Some X-servers that run under MS windows will have this vulnerability turned on by default. Most recent versions of Unix/Linux operating systems have a secure default configuration of their X-server. This vulnerability has been exploited in the past at BNL and used to uncover passwords.

If this vulnerability is turned on it is trivial for anyone on the BNL network to use commonly available X11 applications to compromise your security. For example, your desktop can be viewed, every keystroke can be captured and even your mouse and keyboard input can be controlled.

To turn this vulnerability off in the current session, simply type

 xhost - 

in an xterm.

You should consult the documentation for your X-server to determine how to enable access control permanently so that you do not have to type the above command each time you login.

Then to allow clients to display on your server securely, access the remote system via SSH with X11 forwarding turned on:

 ssh -X user@remotehost.bnl.gov

You can make forwarding of X11 the default by adding the line

  ForwardX11 yes

to your /etc/ssh/ssh_config or your personal ~/.ssh/config files. If you have never forwarded X11 traffic through an SSH tunnel before, you should make sure that you are not explicitly setting your display variable on the remote machine. The SSH session will set the display variable correctly for you when told to forward X11.