Date: Mon, 26 Jun 2000 11:51:46 +0200 From: Adrian Chadd <adrian@freebsd.org> To: Will Andrews <andrews@technologist.com> Cc: arch@freebsd.org Subject: Re: Disabling inetd? Message-ID: <20000626115146.S36017@zoe.bastard.co.uk> In-Reply-To: <20000626053525.U85886@argon.gryphonsoft.com>; from andrews@technologist.com on Mon, Jun 26, 2000 at 05:35:25AM -0400 References: <20000626053525.U85886@argon.gryphonsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 26, 2000, Will Andrews wrote: > Hi all, > > I was just a few minutes ago talking with some of my colleagues about > disabling inetd completely in a default install. > > What are people's opinions about doing this? IMHO there is nothing in > inetd that is absolutely essential when someone installs FreeBSD on a > virgin system. Let's take a few things as examples. Telnet is an > insecure protocol and has been replaced for the most part by SSH. Then > there's FTP. How many people are going to run FTP servers on their > machines by default? Now talk daemon, auth server (for ident, typically > used with IRC), and finger. Not everyone really needs these. > > Our inetd.conf should reflect what would be NEEDED by a typical > installation by default. > > Some might say "why fix something that ain't broke?". Well, I think > that it's fairly well-known that holes can be exploited through inetd. > Proactive security is better than leaving possible holes open by > default, IMO. Administrators who know what they're doing can open up > each hole as they need to. > > Could someone give me a reason why anything invoked by our current > inetd.conf is needed across all installed systems by default? If not, > then inetd itself should be disabled by default. Do you have a neat way of getting ssh to work out of the box with a non-US crypto install? If there is a neat way, then sure, enable sshd by default and disable inetd. Until then I think inetd+telnet should be the only thing enabled on the box. If I remember right, the telnet port isn't insecure by itself, only open telnet connections. So there really isn't anything to be said for killing telnet for 'out of the box security' - if people use telnet rather than ssh, they're going to enable it anyway. Other than that, I am happy with killing inetd or most (read all bar telnet) of its services at install. Adrian -- Adrian Chadd Build a man a fire, and he's warm for the <adrian@FreeBSD.org> rest of the evening. Set a man on fire and he's warm for the rest of his life. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000626115146.S36017>