From owner-freebsd-arch Mon Jun 26 2:52: 0 2000 Delivered-To: freebsd-arch@freebsd.org Received: from mail.bastard.co.uk (node16292.a2000.nl [24.132.98.146]) by hub.freebsd.org (Postfix) with ESMTP id C3BB037B597 for ; Mon, 26 Jun 2000 02:51:54 -0700 (PDT) (envelope-from adrian@bastard.co.uk) Received: from adrian by mail.bastard.co.uk with local (Exim 3.14 #1) id 136VYQ-000D8X-00; Mon, 26 Jun 2000 11:51:46 +0200 Date: Mon, 26 Jun 2000 11:51:46 +0200 From: Adrian Chadd To: Will Andrews Cc: arch@freebsd.org Subject: Re: Disabling inetd? Message-ID: <20000626115146.S36017@zoe.bastard.co.uk> References: <20000626053525.U85886@argon.gryphonsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000626053525.U85886@argon.gryphonsoft.com>; from andrews@technologist.com on Mon, Jun 26, 2000 at 05:35:25AM -0400 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jun 26, 2000, Will Andrews wrote: > Hi all, > > I was just a few minutes ago talking with some of my colleagues about > disabling inetd completely in a default install. > > What are people's opinions about doing this? IMHO there is nothing in > inetd that is absolutely essential when someone installs FreeBSD on a > virgin system. Let's take a few things as examples. Telnet is an > insecure protocol and has been replaced for the most part by SSH. Then > there's FTP. How many people are going to run FTP servers on their > machines by default? Now talk daemon, auth server (for ident, typically > used with IRC), and finger. Not everyone really needs these. > > Our inetd.conf should reflect what would be NEEDED by a typical > installation by default. > > Some might say "why fix something that ain't broke?". Well, I think > that it's fairly well-known that holes can be exploited through inetd. > Proactive security is better than leaving possible holes open by > default, IMO. Administrators who know what they're doing can open up > each hole as they need to. > > Could someone give me a reason why anything invoked by our current > inetd.conf is needed across all installed systems by default? If not, > then inetd itself should be disabled by default. Do you have a neat way of getting ssh to work out of the box with a non-US crypto install? If there is a neat way, then sure, enable sshd by default and disable inetd. Until then I think inetd+telnet should be the only thing enabled on the box. If I remember right, the telnet port isn't insecure by itself, only open telnet connections. So there really isn't anything to be said for killing telnet for 'out of the box security' - if people use telnet rather than ssh, they're going to enable it anyway. Other than that, I am happy with killing inetd or most (read all bar telnet) of its services at install. Adrian -- Adrian Chadd Build a man a fire, and he's warm for the rest of the evening. Set a man on fire and he's warm for the rest of his life. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message