Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 May 2004 14:32:57 -0700 (PDT)
From:      Jason Stone <freebsd-security@dfmm.org>
To:        freebsd-security@freebsd.org
Subject:   Re: rate limiting sshd connections ?
Message-ID:  <20040511141522.W45935@walter>
In-Reply-To: <20040511202707.C40492C6A0@mx5.roble.com>
References:  <20040511190058.A8FC516A4DB@hub.freebsd.org> <20040511202707.C40492C6A0@mx5.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > Aside from having more connection limiting features inetd is also
> > easier to configure on non-standard ports, uses less memory (1K vs
> > 5K), and has a simpler (and by extension more secure) code base.
>
> As to security I think both code bases have had about the same degree of
> peer review.  The smaller size of the inetd code base is what makes it
> more secure.

1) how does this interact with privilege separation?  as far as I
understand it, privilege separation implies that no raw data from the
network will ever be touched by a root-running process.  I don't expect
that inetd can say the same.

2) if you really are looking for a very simple/secure network listener,
tcpserver from the ucspi-tcp package is going to fit that bill _way_ more
than inetd.  and tcpserver also provides rate-limiting, use of arbitrary
ports, an even smaller memory footprint, as well as features that inetd
doesn't have (like setting environment variables based on remote address).


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQFAoUaLswXMWWtptckRAkBeAKDfVrZE5ezanuxyqVmdANVCLJ73swCfTPXv
5sqmuZRai9vd3nsfNqQskN8=
=76iI
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040511141522.W45935>