From owner-freebsd-questions@FreeBSD.ORG Fri May 12 20:26:53 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B379D16A488 for ; Fri, 12 May 2006 20:26:53 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (dsl081-142-072.chi1.dsl.speakeasy.net [64.81.142.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBEBE43D53 for ; Fri, 12 May 2006 20:26:50 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p17.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.6/8.12.11) with ESMTP id k4CKPqB0070887; Fri, 12 May 2006 15:25:52 -0500 (CDT) Message-Id: <6.0.0.22.2.20060512152402.026a60c8@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 12 May 2006 15:25:44 -0500 To: Eric Schuele , FreeBSD Questions From: Derek Ragona In-Reply-To: <4464CEDA.80906@computer.org> References: <4464B95D.1040702@computer.org> <20060512171515.GC34035@catflap.slightlystrange.org> <4464CEDA.80906@computer.org> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Pros and Cons of running under inetd.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 20:26:54 -0000 inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. -Derek At 01:07 PM 5/12/2006, Eric Schuele wrote: >Daniel Bye wrote: >>On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote: >>>Hello, >>> >>>I run sshd and ftpd on my laptop. I generally start them via: >>> sshd_enable="YES" >>> ftpd_enable="YES" >>>in my rc.conf. >>> >>>What are the pros/cons of running them via inetd? >>> >>>This is in no way a high load or production machine. Just my laptop >>>that I need access to from time to time. >>> >>>The one pro I have noticed (which is rather important to me) is that >>>ftpd does not heed hosts.allow directives when NOT run via inetd. Am I >>>correct in this? I prefer to use tcpwrappers to further protect my sshd >>>and ftpd. I generally keep ftpd firewalled off from the world and when >>>someone needs to (anonymous) ftp something to me I open the firewall. >>>But it would be nice to allow only their IP using hosts.allow (as I just >>>enable/disable a generic ruleset in ipfw). So should I forget to >>>disable the ruleset in ipfw then I am not open all day till I reboot. > >Thanks for the response. > >>When sshd starts, it needs to generate keys and set up its cryptographic >>environment, so you will notice a bit of lag before getting a login >>prompt. This may or may not mean anything to you, depending on how >>beefy your laptop is. >>Check man sshd for the -i option. >>sshd should, by default, be compiled with tcpwrappers support anyway. >>You can test whether this is the case by putting something like this at >>the top of your hosts.allow: >>sshd : 127.0.0.1 : deny >>and then try connecting on the loopback interface. If you see `refused >>connect from localhost' in your /var/log/auth.log, then your sshd uses >>hosts.allow and running it from inetd won't give you any benefit. > >Actually I have sshd under control. It works fine, and yes uses >tcpwrappers by default. > >>I don't know about ftpd, as I don't use it. > >ftpd however does not seem to use them. > >>Dan > >Although I am curious about ftpd and tcpwrappers.... I am also interested >in whether or not running these daemons under inetd is preferred or >not. If so why? If not, why? > >-- >Regards, >Eric >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.