From owner-freebsd-security  Mon Sep 14 23:25:48 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA05290
          for freebsd-security-outgoing; Mon, 14 Sep 1998 23:25:48 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from peak.mountin.net ([207.227.119.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA05285
          for <freebsd-security@FreeBSD.ORG>; Mon, 14 Sep 1998 23:25:46 -0700 (PDT)
          (envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id BAA03443;
	Tue, 15 Sep 1998 01:25:28 -0500 (CDT)
Received: from aridius-81.isdn.mke.execpc.com(169.207.66.208) by peak.mountin.net via smap (V1.3)
	id sma003441; Tue Sep 15 01:25:25 1998
Message-Id: <3.0.3.32.19980915012359.006dae0c@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Tue, 15 Sep 1998 01:23:59 -0500
To: Roger Marquis <marquis@roble.com>, freebsd-security@FreeBSD.ORG
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: Re: sshd
In-Reply-To: <Pine.SUN.3.96.980914174902.29530B-100000@roble.com>
References: <35FD82A8.84601D49@dal.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 06:11 PM 9/14/98 -0700, Roger Marquis wrote:
>On Mon, 14 Sep 1998, Studded wrote:
>> 	Foolish consistency is the hobgoblin of small minds. I am also in the
>> camp of those who disable inetd almost universally, and run sshd
>> standalone. Since I don't think either camp is going to convince the
>> other, perhaps we should let this drop?
>
>Au contraire, consistency is fundamental to good systems
>administration.  KISS and consistency are what keeps the Macintosh
>alive despite all odds.  KISS, consistency and efficiency are what
>keeps sites with dozens or hundreds of Unix boxes running with high
>uptime and a small staff.

KISS may apply to the server config, but it can get a bit complex to set things up. ;)

>If you don't need inetd then it's probably a good idea to disable it
>and run all your daemons all the time however most hosts, including
>firewalls, do use it.  Is there a significant security (or other)
>reason to disable it?

One problem is if you want to run tcp wrappers, then some services should be inetd.  And need we get into certain daemons that we shouldn't run directly.  I'd say use inetd for certain daemons and use wrappers.

telnet
ftp
pop3
finger
ntalk

The last 2 only work locally and between specific machines.

For only DNS servers I've only run sshd, no inetd, no sendmail, and no remote logging.  Since we've somewhat digressed, changing portmap in rc.conf to "NO" would also be in order and unless a server need to handle incoming mail, it should not run as a daemon.

Different servers, different needs, and different security policies.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message