Date: Fri, 12 May 2006 15:25:44 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Eric Schuele <e.schuele@computer.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Pros and Cons of running under inetd.... Message-ID: <6.0.0.22.2.20060512152402.026a60c8@mail.computinginnovations.com> In-Reply-To: <4464CEDA.80906@computer.org> References: <4464B95D.1040702@computer.org> <20060512171515.GC34035@catflap.slightlystrange.org> <4464CEDA.80906@computer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
inetd running is discouraged. Instead run the daemons on boot using rc
scripts. If you look back in the history, inetd running is a security
risk, and was discouraged in the 5.X releases.
-Derek
At 01:07 PM 5/12/2006, Eric Schuele wrote:
>Daniel Bye wrote:
>>On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote:
>>>Hello,
>>>
>>>I run sshd and ftpd on my laptop. I generally start them via:
>>> sshd_enable="YES"
>>> ftpd_enable="YES"
>>>in my rc.conf.
>>>
>>>What are the pros/cons of running them via inetd?
>>>
>>>This is in no way a high load or production machine. Just my laptop
>>>that I need access to from time to time.
>>>
>>>The one pro I have noticed (which is rather important to me) is that
>>>ftpd does not heed hosts.allow directives when NOT run via inetd. Am I
>>>correct in this? I prefer to use tcpwrappers to further protect my sshd
>>>and ftpd. I generally keep ftpd firewalled off from the world and when
>>>someone needs to (anonymous) ftp something to me I open the firewall.
>>>But it would be nice to allow only their IP using hosts.allow (as I just
>>>enable/disable a generic ruleset in ipfw). So should I forget to
>>>disable the ruleset in ipfw then I am not open all day till I reboot.
>
>Thanks for the response.
>
>>When sshd starts, it needs to generate keys and set up its cryptographic
>>environment, so you will notice a bit of lag before getting a login
>>prompt. This may or may not mean anything to you, depending on how
>>beefy your laptop is.
>>Check man sshd for the -i option.
>>sshd should, by default, be compiled with tcpwrappers support anyway.
>>You can test whether this is the case by putting something like this at
>>the top of your hosts.allow:
>>sshd : 127.0.0.1 : deny
>>and then try connecting on the loopback interface. If you see `refused
>>connect from localhost' in your /var/log/auth.log, then your sshd uses
>>hosts.allow and running it from inetd won't give you any benefit.
>
>Actually I have sshd under control. It works fine, and yes uses
>tcpwrappers by default.
>
>>I don't know about ftpd, as I don't use it.
>
>ftpd however does not seem to use them.
>
>>Dan
>
>Although I am curious about ftpd and tcpwrappers.... I am also interested
>in whether or not running these daemons under inetd is preferred or
>not. If so why? If not, why?
>
>--
>Regards,
>Eric
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20060512152402.026a60c8>