Restricting Port 6000 access in Cygwin/X

Mon Dec 9 15:27:00 GMT 2013

On 09/12/2013 14:37, Kevin Brown wrote:
> My company recently sent an audit finding requesting for our Cygwin/X users
> with a finding of the following;
> "The remote host is running an X11 server.  X11 is a client-server protocol
> that can be used to display graphical applications running on a given host
> on a remote client.   Since the X11 traffic is not ciphered, it is possible
> for an attacker to eavesdrop on the connection."
> The suggested solution was;
> "Restrict access to this port. If the X11 client/server facility is not
> used, disable TCP support in X11 entirely (-nolisten tcp)."
> My problem is that I haven't found any information that would help me
> accomplish this task. I've only recently taken over support of our Cygwin
> users and am not well versed in the software. Can this be done without
> breaking the functionality of the the software? If so, can you please
> advise on the steps to take to accomplish this?

The usual caveat applies: if you have an actual need for security, a random
person on the internet is not where you should be getting your information.

As suggested, if you start the X server with the option '-nolisten tcp' (see
'man Xserver'), then it will not accept remote connections.

There's probably something to be said for this being the default configuration
and requiring an explicit '-listen', but historically it's been this way.

If you then need to connect to remote clients, use ssh forwarding, see [1].


Volunteer Cygwin/X X Server maintainer

Unsubscribe info:
Problem reports:

More information about the Cygwin-xfree mailing list