x2goagent listening on public interface - how to make it listen on 127.0.0.1 only? - x2go-user

List overview All Threads
Download

newer

x2goagent listening on public interface - how to make it listen on 127.0.0.1 only?

older

Problem with X2Go and VMWare Tools

Re: [X2go-User] updated x2go on my...

BUGHUNTER

8 Feb 2012 8 Feb '12

9:35 p.m.

Hi,

I am testing x2go - looks like a very good alterative to other solutions!

However, I see that (only) when I am logged in via x2goclient I have an x2goagent process listening on all network interfaces on port 6050

I would feel better if this software did only listen on 127.0.0.1, if this is technically possible.

I did not found any hint on a "listen 127.0.0.1" configuration item and where to put it, if existing - how can I make x2goagent NOT listen on a public network interface?

Thanks for your attention, Bughunter

Show replies by date

Mike Gabriel

15 Feb 15 Feb

8:06 p.m.

New subject: [X2go-User] x2goagent listening on public interface - how to make it listen on 127.0.0.1 only?

Hi Bughunter,

On Mi 08 Feb 2012 22:35:55 CET BUGHUNTER wrote:

...

Hi,

I am testing x2go - looks like a very good alterative to other solutions!

However, I see that (only) when I am logged in via x2goclient I have an x2goagent process listening on all network interfaces on port 6050

I would feel better if this software did only listen on 127.0.0.1, if this is technically possible.

I did not found any hint on a "listen 127.0.0.1" configuration item and where to put it, if existing - how can I make x2goagent NOT listen on a public network interface?

Thanks for your attention, Bughunter

Thanks for bringing this up!

I had a discussion with another of the developers (Alex) and we do not
know either, if there is a NX-builtin solution for just listening on
the localhost IP socket.

Our current recommendation is to use iptables, which you have to use
anyway, if your system runs in the public space somewhere.

Greets, Mike

DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...

BUGHUNTER

18 Feb 18 Feb

4:08 p.m.

New subject: [X2go-User] x2goagent listening on public interface - how to make it listen on 127.0.0.1 only?

Hello Mike,

...

I had a discussion with another of the developers (Alex) and we do not know either, if there is a NX-builtin solution for just listening on the localhost IP socket.

could this be considered as an important missing feature? I did not find any way to put a feature request into a bugtracker, maybe you would like to do this or forward this to anybody who is more familiar with the development infrastructure? I am just an accidental by-alker and would like to proceed with other things... THANKS!

...

Our current recommendation is to use iptables, which you have to use anyway, if your system runs in the public space somewhere.

Well, of course it is always possible to find a workaround - fixing the source of the problem is a better approach.

x2go really looks like good quality software - but it is fair to say that listening on all interfaces by default is not exactly known as "good behaviour".

I have no time invstigating deeper into this, but of course this smells like "easy remote exploit" - I really would see this fixed ASAP

and until it is not fixed it would be fair to put a big, red warning on the website and instruct users about how to configure their firewall until this problem is fixed - I bet there are many people not even knowing about this issue.

Please do not wait until somebody else checks if this is a good way to exploit an x2go server - hopefully it is NOT!

Thanks, Bughunter

Mike Gabriel

4:31 p.m.

New subject: [X2go-User] x2goagent listening on public interface - how to make it listen on 127.0.0.1 only?

Hi Bughunter,

On Sa 18 Feb 2012 17:08:35 CET BUGHUNTER wrote:

...

...
I had a discussion with another of the developers (Alex) and we do not know either, if there is a NX-builtin solution for just listening on the localhost IP socket.

could this be considered as an important missing feature? I did not find any way to put a feature request into a bugtracker, maybe you would like to do this or forward this to anybody who is more familiar with the development infrastructure? I am just an accidental by-alker and would like to proceed with other things... THANKS!

Yes, will do. Thanks for bringing it up!!!

...

...
Our current recommendation is to use iptables, which you have to use anyway, if your system runs in the public space somewhere.

Well, of course it is always possible to find a workaround - fixing the source of the problem is a better approach.

x2go really looks like good quality software - but it is fair to say that listening on all interfaces by default is not exactly known as "good behaviour".

I have no time invstigating deeper into this, but of course this smells like "easy remote exploit" - I really would see this fixed ASAP

and until it is not fixed it would be fair to put a big, red warning on the website and instruct users about how to configure their firewall until this problem is fixed - I bet there are many people not even knowing about this issue.

Done (not a big red sign though...) http://wiki.x2go.org/wiki:security:start?goagent

...

Please do not wait until somebody else checks if this is a good way to exploit an x2go server - hopefully it is NOT!

Fair enough. I am one of the core developers of X2Go and I will urge
the team towards a solution/patch against NoMachine's nxagent.

...

Thanks, Bughunter

Greets + big thanks! Mike

DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...

4858

Age (days ago)

4868

Last active (days ago)

x2go-user@lists.x2go.org

3 comments

2 participants

tags (0)

participants (2)

BUGHUNTER
Mike Gabriel