Skip to content
PortsDB

Port reference

Port 6000 (TCP) – X11 (X Window System)

Display :0 of the X Window System server, accepting GUI client connections over TCP.

tcpRegisteredCommonly attacked

Default state

Open when an X server listens on TCP (legacy default). Often left accessible with weak xhost-based access control.

Common attacks

  • Unauthenticated access to displays opened with 'xhost +'
  • Keystroke logging and screenshot capture of the desktop
  • Injecting input events and reading window contents
  • Abusing X11 forwarding to reach a trusted client's display

Hardening

  • Disable TCP listening (-nolisten tcp); use local sockets only
  • Never run 'xhost +'; use MIT-MAGIC-COOKIE (xauth) authentication
  • Tunnel remote GUIs over SSH X11 forwarding instead of raw 6000
  • Firewall ports 6000-6063 from untrusted networks
  • Restrict source IPs and avoid trusted X11 forwarding

nmap snippet

nmap -p6000 --script x11-access <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 6000?

Port 6000 is display :0 of the X Window System (X11) server. X11 is the classic Unix/Linux graphical layer: the server owns the screen, keyboard, and mouse, while GUI applications connect as clients to draw windows and receive input. Additional displays increment the port — :1 is 6001, and so on through 6063.

Why it matters for security

X11 was designed for trusted networks, and its access control is weak. The infamous xhost + command disables access control entirely, so any host can connect to the display. Because an X client sees all input and output, a connected attacker can log every keystroke, screenshot the desktop, read window contents, and inject synthetic key and mouse events — a complete desktop takeover.

How it's attacked

Scanners look for open 6000 and confirm permissive access with nmap's x11-access script. Where xhost + or no authentication is in place, attackers connect directly and run tools to capture keystrokes and screens or inject input. X11 forwarding is another risk: a malicious or compromised SSH server with trusted forwarding can reach back into the connecting client's display.

Hardening checklist

Disable TCP listening with -nolisten tcp so X11 uses only local sockets, and never run xhost + — rely on MIT-MAGIC-COOKIE (xauth) authentication. For remote GUIs, tunnel over SSH X11 forwarding instead of exposing raw 6000, and prefer untrusted (not trusted) forwarding. Firewall ports 6000-6063 from untrusted networks. The nmap snippet above checks display access control on systems you are authorized to test.

Related ports

Port 6001Port 5900Port 22Port 177

Frequently asked questions

What does 'xhost +' do and why is it dangerous?
It disables X11 access control, letting any host connect to your display on port 6000. An attacker can then log keystrokes, capture the screen, and inject input — full desktop compromise.
How do I know if my X server is exposed on 6000?
If the X server listens on TCP and access control is open, nmap's x11-access script will connect successfully. Disable TCP listening and use xauth cookies to lock it down.