xvfb绑定到localhost而不是*

Question

我有一个作为服务运行的XVFB服务，它绑定到*而不是localhost。出于安全考虑，不建议这样做，我也找不到将其绑定到localhost的方法。有人知道如何让xvfb绑定到localhost吗？谢谢

# cat /etc/systemd/system/xvfb.service
[Unit]
Description=XVFB Server
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple

Restart=always
RestartSec=10

TimeoutSec=30

User=xvfb
Group=xvfb

ExecStart=/usr/bin/Xvfb -screen 0, 1024x768x16

# systemctl status xvfb
● xvfb.service - XVFB Server
   Loaded: loaded (/etc/systemd/system/xvfb.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-05-28 18:13:57 UTC; 1min 4s ago
 Main PID: 11395 (Xvfb)
   Memory: 4.3M
   CGroup: /system.slice/xvfb.service
           └─11395 /usr/bin/Xvfb -screen 0, 1024x768x16

May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension MIT-SCREEN-SAVER
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension DOUBLE-BUFFER
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension RECORD
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension DPMS
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension Present
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension X-Resource
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension XVideo
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension XVideo-MotionCompensation
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension SELinux
May 28 18:13:57 ip-10-73-36-143.ec2.internal Xvfb[11395]: Initializing built-in extension GLX

# lsof -Pi | grep -i 'listen'
Xvfb      11395        xvfb    0u  IPv6 2029253      0t0  TCP *:6000 (LISTEN)
Xvfb      11395        xvfb    1u  IPv4 2029254      0t0  TCP *:6000 (LISTEN)

Answer 1

最安全的解决方案是关闭所有端口，如下所示：

Xvfb :0 -nolisten tcp