Data Support Group

 

Procedure for Securing Hummingbird's Exceed X-Server

 

 

 

Due to a recently declared critical vulnerability we have to secure our Xservers.   An open X server is one which accepts X client connections without restriction or authentication of the client. Internet attackers are scanning networks for open X servers. In particular, scanning is done from a compromised system inside a site's perimeter, so blocking the X server ports at the boundary is only a small help in preventing attacks on X.

 

 

An X client can obtain an image of any open windows or the entire display, copies of all keypress and/or mouse events sent to any windows, and can send synthetic events to windows. If an intruder has this access, he essentially can control all applications and sessions you have running. That leads to compromises of at least your account, and sometimes the entire system, on every machine you are logged into. Further information about this can be found at http://computing.fnal.gov/security/CriticalVuln/X-Servers.html

 

Open X-servers will be blocked as of Monday October 18th, 2004.

 

 

Here is the procedure to secure Hummingbird's Exceed X-Server.  This procedure only pertains to versions 8 and 9 of the software.

 

Step 1.  Using your Fermi Windows account, browse to this location: \\ppdserver\pcapps\HummingBird\hostAllowFile\ Copy the xhost.txt to c:\program files\hummingbird.

 

NOTE: If you are unable to download this file or would like to create it by hand see the last page of this document for the proper location to edit this file and the format of it.

 

Step 2.  Select xconfig from the exceed menu item.

 

Securing_Hummingbird_Exceed_1_0001

 

Step 3.

 

Select security, access control, and system administration.

 

Securing_Hummingbird_Exceed_2_0001

 

Step 4.

 

Select the file option at the top of the page.

 

Securing_Hummingbird_Exceed_3_0001

 

Step 5. 

 

Select Browse and locate the xhost.txt file that you saved in c:\program files\hummingbird in Step 1.

Note: the file menu defaults to a folder which contains a generic xhost.txt file.  Please make sure you use the pull down box to select the correct folder where you saved the Fermilab configured version of the xhost.txt file.  After locating the correct xhost.txt file press the Open button to confirm.

.

Securing_Hummingbird_Exceed_4_0001

 

Step 6.

 

Select the check mark at the top of the window.  Answer ok when prompted that the server will restart.

 

Note: if the Exceed Xserver is not running you will not be prompted to restart it.

 

Securing_Hummingbird_Exceed_5_0001

 

At this point your xsessions should be secure and functionality should work the same for servers that are configured in the xhost.txt file.

 

HAND EDITING OF THE xhost.txt file.

 

If you need to add additional servers or you need to create the xhost.txt file by hand click the edit button in the image above as indicated by the arrow and use the format below.