Why all of these open ports when using GNOME.

[Paul Martin Elliott]

When I am using GNOME, lsof shows all of these open ports.

gnome-ses 600 pelliott 3u IPv4 587 TCP *:blackjack (LISTEN)
esd 618 pelliott 3u IPv4 587 TCP *:blackjack (LISTEN)
panel 636 pelliott 6u IPv4 1588 TCP *:1033 (LISTEN)
gmc 639 pelliott 6u IPv4 1831 TCP *:1035 (LISTEN)
gnome-nam 641 pelliott 4u IPv4 1615 TCP *:1034 (LISTEN)
gen_util_ 647 pelliott 5u IPv4 2474 TCP *:1036 (LISTEN)
tasklist_ 650 pelliott 5u IPv4 2502 TCP *:1037 (LISTEN)

Are these open ports necessary for GNOME to work? Is there
any convenient way to force gnome to bind these ports to localhost
so that they will not be hackable from outside my computer.

Yes, I know you can use a firewall, but I do not entirely trust
firewalls, and it would be better if outsiders could not even
see the ports.

If there is no commandline switch or environment variable,
which module would I have to hack in the source (use the source Luke)
to force these ports to be bound to the localhost??

Thank You.

--
Paul Elliott Telephone: 1(512)837-9345
pell...@io.com Address: PMB 181, 11900 Metric Blvd Suite J
http://www.io.com/~pelliott/pme/ Austin TX 78758-3117

[I R A Darth Aggie]

On Wed, 20 Dec 2000 03:46:30 GMT,
Paul Martin Elliott <pell...@hrnowl.io.com>, in
<slrn940au9....@hrnowl.io.com> wrote:

+ Are these open ports necessary for GNOME to work? Is there
+ any convenient way to force gnome to bind these ports to localhost
+ so that they will not be hackable from outside my computer.

Try running a portscan against your machine...that'll show you what's
open and what's not...

James
--
Consulting Minister for Consultants, DNRC
The Bill of Rights is paid in Responsibilities - Jean McGuire
To cure your perl CGI problems, please look at:
<url:http://www.perl.com/CPAN/doc/FAQs/cgi/idiots-guide.html>

[Tim Haynes]

sy_n...@gurcragntba.pbz (I R A Darth Aggie) writes:

> On Wed, 20 Dec 2000 03:46:30 GMT,
> Paul Martin Elliott <pell...@hrnowl.io.com>, in
> <slrn940au9....@hrnowl.io.com> wrote:
>
> + Are these open ports necessary for GNOME to work? Is there
> + any convenient way to force gnome to bind these ports to localhost
> + so that they will not be hackable from outside my computer.
>
> Try running a portscan against your machine...that'll show you what's
> open and what's not...

What good does that do when he's just pasted the output from netstat for
us?

I don't know of a way around the gnome apps listening. But I will recommend
a firewall - ipchains is pretty trustworthy, and covers the OP's
requirement that others won't see the ports just fine, if you implement a
suitable rule-set.

~Tim
--
Newton and Adam, lost and found, |pig...@glutinous.custard.org
The apple must fall to the ground |http://piglet.is.dreaming.org

[Joe Schaefer]

pell...@hrnowl.io.com (Paul Martin Elliott) writes:

> When I am using GNOME, lsof shows all of these open ports.
>
>
> gnome-ses 600 pelliott 3u IPv4 587 TCP *:blackjack (LISTEN)
> esd 618 pelliott 3u IPv4 587 TCP *:blackjack (LISTEN)
> panel 636 pelliott 6u IPv4 1588 TCP *:1033 (LISTEN)
> gmc 639 pelliott 6u IPv4 1831 TCP *:1035 (LISTEN)
> gnome-nam 641 pelliott 4u IPv4 1615 TCP *:1034 (LISTEN)
> gen_util_ 647 pelliott 5u IPv4 2474 TCP *:1036 (LISTEN)
> tasklist_ 650 pelliott 5u IPv4 2502 TCP *:1037 (LISTEN)
>
>
> Are these open ports necessary for GNOME to work? Is there
> any convenient way to force gnome to bind these ports to localhost
> so that they will not be hackable from outside my computer.
>

What version of gnome are you running? I had this problem with older
versions, but the last version I installed (~2months ago) doesn't
have all these open ports. OTOH, my install might be broken now,
but I can't tell the difference :)

--
Joe Schaefer

[ell...@crosswinds.net]

In comp.os.linux.security Paul Martin Elliott <pell...@hrnowl.io.com> wrote:
> Are these open ports necessary for GNOME to work? Is there
> any convenient way to force gnome to bind these ports to localhost
> so that they will not be hackable from outside my computer.

Yes, they are. You just can't get around having sockets with a
networked window system.

You can, however, use unix domain sockets instead. That satisfies all
of your requirements. Rather than lsof, I'd recommend you try netstat
-a and see if they are, in fact, tcp sockets. If they are, I'm afraid
you'll have to do some digging as to how to configure your session in
the X or gnome groups.

> Yes, I know you can use a firewall, but I do not entirely trust
> firewalls, and it would be better if outsiders could not even
> see the ports.

> If there is no commandline switch or environment variable,
> which module would I have to hack in the source (use the source Luke)
> to force these ports to be bound to the localhost??

IIRC, there's a notcp option or somesuch to one of the commands in the
X chain, but I don't remember which one.

--
Matt Gauthier <ell...@crosswinds.net>

[Steve Cox]

In article <slrn940au9....@hrnowl.io.com>, pell...@hrnowl.io.com
wrote:

>
> When I am using GNOME, lsof shows all of these open ports.
>
>
> gnome-ses 600 pelliott 3u IPv4 587 TCP *:blackjack
> (LISTEN) esd 618 pelliott 3u IPv4 587 TCP
> *:blackjack (LISTEN) panel 636 pelliott 6u IPv4 1588
> TCP *:1033 (LISTEN) gmc 639 pelliott 6u IPv4 1831
> TCP *:1035 (LISTEN) gnome-nam 641 pelliott 4u IPv4 1615
> TCP *:1034 (LISTEN) gen_util_ 647 pelliott 5u IPv4 2474
> TCP *:1036 (LISTEN) tasklist_ 650 pelliott 5u IPv4 2502
> TCP *:1037 (LISTEN)
>
>

Hi,

to stop gnome/ORBit using TCP sockets, edit either the global
/etc/orbitrc file or a local ~/.orbitrc file with:

ORBITOPUSock=1
ORBITOPIPv4=0
ORBITOPIPv6=0

This should now be the default (security resons) on most latest distros
Details can be found via:
http://orbit-resource.sourceforge.net/faq.html