Date: Tue, 15 Sep 1998 01:23:59 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG Subject: Re: sshd Message-ID: <3.0.3.32.19980915012359.006dae0c@207.227.119.2> In-Reply-To: <Pine.SUN.3.96.980914174902.29530B-100000@roble.com> References: <35FD82A8.84601D49@dal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:11 PM 9/14/98 -0700, Roger Marquis wrote: >On Mon, 14 Sep 1998, Studded wrote: >> Foolish consistency is the hobgoblin of small minds. I am also in the >> camp of those who disable inetd almost universally, and run sshd >> standalone. Since I don't think either camp is going to convince the >> other, perhaps we should let this drop? > >Au contraire, consistency is fundamental to good systems >administration. KISS and consistency are what keeps the Macintosh >alive despite all odds. KISS, consistency and efficiency are what >keeps sites with dozens or hundreds of Unix boxes running with high >uptime and a small staff. KISS may apply to the server config, but it can get a bit complex to set things up. ;) >If you don't need inetd then it's probably a good idea to disable it >and run all your daemons all the time however most hosts, including >firewalls, do use it. Is there a significant security (or other) >reason to disable it? One problem is if you want to run tcp wrappers, then some services should be inetd. And need we get into certain daemons that we shouldn't run directly. I'd say use inetd for certain daemons and use wrappers. telnet ftp pop3 finger ntalk The last 2 only work locally and between specific machines. For only DNS servers I've only run sshd, no inetd, no sendmail, and no remote logging. Since we've somewhat digressed, changing portmap in rc.conf to "NO" would also be in order and unless a server need to handle incoming mail, it should not run as a daemon. Different servers, different needs, and different security policies. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980915012359.006dae0c>