From owner-freebsd-security@FreeBSD.ORG  Tue May 11 13:27:08 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3584916A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 11 May 2004 13:27:08 -0700 (PDT)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F41B443D31
	for <freebsd-security@freebsd.org>;
	Tue, 11 May 2004 13:27:07 -0700 (PDT)
	(envelope-from marquis@roble.com)
Received: from localhost (localhost [127.0.0.1])
	by mx5.roble.com (Postfix) with ESMTP id C40492C6A0
	for <freebsd-security@freebsd.org>;
	Tue, 11 May 2004 13:27:07 -0700 (PDT)
Date: Tue, 11 May 2004 13:27:07 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
In-Reply-To: <20040511190058.A8FC516A4DB@hub.freebsd.org>
References: <20040511190058.A8FC516A4DB@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20040511202707.C40492C6A0@mx5.roble.com>
Subject: Re: rate limiting sshd connections ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2004 20:27:08 -0000

Roger Marquis wrote:
> Aside from having more connection limiting features inetd is also
> easier to configure on non-standard ports, uses less memory (1K vs
> 5K), and has a simpler (and by extension more secure) code base.
>
"slimmy baddog" wrote:
> I would strognly suggest that you dont use inetd for running services but
> running all your services as daemons wich is much faster for the system
>and safer.

That used to be the recommendation, back when 50MHz CPUs were the
norm.  With 1 GHz and faster CPUs the difference between sshd and
inetd starting a child sshd is in the millisecond range i.e, impossible
to distinguish by look and feel.

As to security I think both code bases have had about the same
degree of peer review.  The smaller size of the inetd code base
is what makes it more secure.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/