From owner-freebsd-security@FreeBSD.ORG Tue May 11 14:33:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62C9316A4CE for ; Tue, 11 May 2004 14:33:00 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC2FD43D41 for ; Tue, 11 May 2004 14:32:59 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 24080 invoked by uid 1000); 11 May 2004 21:32:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 May 2004 21:32:59 -0000 Date: Tue, 11 May 2004 14:32:57 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20040511202707.C40492C6A0@mx5.roble.com> Message-ID: <20040511141522.W45935@walter> References: <20040511190058.A8FC516A4DB@hub.freebsd.org> <20040511202707.C40492C6A0@mx5.roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: rate limiting sshd connections ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2004 21:33:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Aside from having more connection limiting features inetd is also > > easier to configure on non-standard ports, uses less memory (1K vs > > 5K), and has a simpler (and by extension more secure) code base. > > As to security I think both code bases have had about the same degree of > peer review. The smaller size of the inetd code base is what makes it > more secure. 1) how does this interact with privilege separation? as far as I understand it, privilege separation implies that no raw data from the network will ever be touched by a root-running process. I don't expect that inetd can say the same. 2) if you really are looking for a very simple/secure network listener, tcpserver from the ucspi-tcp package is going to fit that bill _way_ more than inetd. and tcpserver also provides rate-limiting, use of arbitrary ports, an even smaller memory footprint, as well as features that inetd doesn't have (like setting environment variables based on remote address). -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFAoUaLswXMWWtptckRAkBeAKDfVrZE5ezanuxyqVmdANVCLJ73swCfTPXv 5sqmuZRai9vd3nsfNqQskN8= =76iI -----END PGP SIGNATURE-----