From owner-freebsd-security  Tue Feb 13  5:52:45 2001
Delivered-To: freebsd-security@freebsd.org
Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34])
	by hub.freebsd.org (Postfix) with SMTP id 2BA8A37B4EC
	for <freebsd-security@FreeBSD.ORG>; Tue, 13 Feb 2001 05:52:40 -0800 (PST)
Received: (qmail 70925 invoked by uid 1001); 13 Feb 2001 13:52:13 -0000
Date: Tue, 13 Feb 2001 15:52:12 +0200
From: Neil Blakey-Milner <nbm@mithrandr.moria.org>
To: turbo23 <turbo23@gmx.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Secure Servers (SMTP, POP3, FTP)
Message-ID: <20010213155212.A70601@rapier.smartspace.co.za>
References: <xzpelx2zp8h.fsf@flood.ping.uio.no> <Pine.BSF.4.10.10102132032160.51860-100000@cache.bi.itb.ac. id> <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.0.2.1.2.20010213144216.00a80210@mail.gmx.net>; from turbo23@gmx.net on Tue, Feb 13, 2001 at 02:45:36PM +0100
Organization: Building Intelligence
X-Operating-System: FreeBSD 4.2-RELEASE i386
X-URL: http://rucus.ru.ac.za/~nbm/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue 2001-02-13 (14:45), turbo23 wrote:
> > > > Hmm, the standard FreeBSD ftpd can run as a daemon. But how do you 
> > control
> > > > the number of active connections? With /etc/login.conf or something
> > > > similar resource control (number of running processes)?
> > >
> > > Run ftpd from inetd like God intended and specify a maximum number of
> > > concurrent instances in inetd.conf.
> > >
> >
> >or maybe you like to run ftpd with tcp-server, from mr. djb.
> >small, fast and easy to configure.
> 
> You can also run ftpd with xinetd. It can also handle maximum number of 
> connections. IMHO it isn't as fast as Bernsteins tcp-server but it's more 
> secure than inetd.

I'm not aware of any security issues in FreeBSD's inetd that involve it
running an external (ie, exec) service.  Care for pointers?

19 June 2000, xinetd had the following bug:

    Certain versions of xinetd have a bug in the access control
    mechanism. If you use a hostname to control access to a service
    (localhost instead of 127.0.0.1 ), xinetd will allow any connection
    from hosts that fail a reverse look-up. 

Perhaps you mean inetd's on other systems (like those that don't have
connection limits, and those that turn services off for 10 minutes
without configurability on the amount of time turned off)?

Neil
-- 
Neil Blakey-Milner
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message