Carnegie Mellon University School of Computer Science

Security: X Server

If you are running an X server, such as X-Win32, XFree86, or other server software, any client that can connect to your server will be able to monitor your keystrokes and perform other (possibly malicious) actions. This means that, if you do not enforce any type of access control for such clients, anyone on the internet can potentially see what you are typing at xterms or other X clients (note that they will not be able to see what you type at non-X Windows clients such as Internet Explorer). The SCS network is occasionally scanned for such "open" X servers by would-be intruders, who then connect to those servers with the intent of snooping passwords and breaking into SCS hosts.

One other thing to note is that X network traffic is not encrypted, unless you use SSH forwarding or some other means to tunnel the traffic. This means that anyone who can snoop on the network connection between the client and server hosts can see keystrokes and other information. While this is a risk, it is much less of a risk than not having access control on your X server.

How to protect yourself using X-Win32 on a Windows PC

The easiest way to protect yourself is to:

  1. Go to the Start menu and select:
  2. Programs > X-Win32 > X-Config
  3. Note that there may be a version number after "X-Win32". Alternatively, you can right click the X-Win32 icon in the taskbar and select X-config
  4. Select the Security tab
  5. Check the box labeled Access Control

After this is done, you should receive a pop-up confirmation box such as the one below whenever a host tries to connect. It will show the X client attempting to connect and its hostname and IP address. You can select accept it or refuse it. 

You can add a host to the local access list on the security tab if you wish to avoid being prompted every time you get a connection from that particular host. Note: If you disable this prompting, anyone on that host will be able to silently connect to your X server and snoop your keystrokes.

If you are using a Unix X server

The main thing to remember: whatever you do, do not do a "xhost +", since that command will let anyone on the internet connect to your X server. If you absolutely must use xhost for some reason (but see below for alternatives), use xhost to allow access just for a particular machine, though keep in mind that anyone logged into that machine snoop our keystrokes.

Instead of xhost, you should use the X forwarding feature of SSH for X access control and security. See the ssh man page for details on how to do so. Note that using X forwarding prevents some attacks, such as keyboard sniffing, but does not prevent all risks. It is safest not to allow remote hosts to connect to your X server at all.