0

I have an XVFB service running as service and it binds to * instead of localhost. For security purposes, it is not recommended and I can't find a way to bind it to localhost. Does anyone know how to make xvfb to bind to localhost? Thanks

# cat /etc/systemd/system/xvfb.service
[Unit]
Description=XVFB Server
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple

Restart=always
RestartSec=10

TimeoutSec=30

User=xvfb
Group=xvfb

ExecStart=/usr/bin/Xvfb -screen 0, 1024x768x16

# systemctl status xvfb
● xvfb.service - XVFB Server
   Loaded: loaded (/etc/systemd/system/xvfb.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-05-28 18:13:57 UTC; 1min 4s ago
 Main PID: 11395 (Xvfb)
   Memory: 4.3M
   CGroup: /system.slice/xvfb.service
           └─11395 /usr/bin/Xvfb -screen 0, 1024x768x16

May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension MIT-SCREEN-SAVER
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension DOUBLE-BUFFER
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension RECORD
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension DPMS
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension Present
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension X-Resource
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension XVideo
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension XVideo-MotionCompensation
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension SELinux
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension GLX

# lsof -Pi | grep -i 'listen'
Xvfb      11395        xvfb    0u  IPv6 2029253      0t0  TCP *:6000 (LISTEN)
Xvfb      11395        xvfb    1u  IPv4 2029254      0t0  TCP *:6000 (LISTEN)
Nam Nguyen
  • 5,668
  • 14
  • 56
  • 70

1 Answers1

0

The safest solution is to just close all the ports like this:

Xvfb :0 -nolisten tcp
bhristov
  • 3,137
  • 2
  • 10
  • 26
  • so the config should be like this: `ExecStart=/usr/bin/Xvfb :0 -nolisten tcp -screen 0, 1024x768x16` ? – Nam Nguyen May 28 '20 at 18:25
  • @NamNguyen Maybe like this: ExecStart='/usr/bin/Xvfb :0 -nolisten tcp -screen 0, 1024x768x16' just in case. Let me know if this works for you. – bhristov May 28 '20 at 18:30
  • the option -nolisten tcp will not open port but what I want is to open the port 6000 but instead of `*:6000`, I would like `127.0.01:6000` or `localhost:6000` – Nam Nguyen May 28 '20 at 22:35
  • Did you export the display to X11? export DISPLAY=localhost:1.0 – bhristov May 28 '20 at 22:39
  • ``` # echo $DISPLAY localhost:1.0 # /usr/bin/Xvfb -screen 0, 1024x768x16``` ```# lsof -Pi | grep -i xvfb Xvfb 11754 root 0u IPv6 2071123 0t0 TCP *:6000 (LISTEN) Xvfb 11754 root 1u IPv4 2071124 0t0 TCP *:6000 (LISTEN)``` I did export display but still seeing `*:6000` – Nam Nguyen May 28 '20 at 22:49
  • @NamNguyen Try this: ExecStart=/usr/bin/Xvfb -listen tcp -screen 0, 1024x768x16 – bhristov May 28 '20 at 22:50
  • `-listen` is not a valid option :( – Nam Nguyen May 28 '20 at 22:54
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/214859/discussion-between-bhristov-and-nam-nguyen). – bhristov May 28 '20 at 22:55