From owner-freebsd-questions  Mon Jan 12 15:50:44 1998
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id PAA21897
          for questions-outgoing; Mon, 12 Jan 1998 15:50:44 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from limbo.rtfm.net (nathan@rtfm.net [204.141.125.38])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA21846;
          Mon, 12 Jan 1998 15:50:25 -0800 (PST)
          (envelope-from nathan@limbo.rtfm.net)
Received: (from nathan@localhost)
	by limbo.rtfm.net (8.8.8/8.8.8) id SAA03226;
	Mon, 12 Jan 1998 18:49:43 -0500 (EST)
Message-ID: <19980112184943.12096@rtfm.net>
Date: Mon, 12 Jan 1998 18:49:43 -0500
From: Nathan Dorfman <nathan@rtfm.net>
To: Johnathan Raymond Sconiers II <jrs@Mcs.Net>
Cc: freebsd-questions@freebsd.org, freebsd-isp@freebsd.org
Subject: Re: Security for isp
References: <Pine.BSF.3.95.980112133500.21228B-100000@Venus.mcs.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88
In-Reply-To: <Pine.BSF.3.95.980112133500.21228B-100000@Venus.mcs.net>; from Johnathan Raymond Sconiers II on Mon, Jan 12, 1998 at 01:46:02PM -0600
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, Jan 12, 1998 at 01:46:02PM -0600, Johnathan Raymond Sconiers II wrote:
> 
> Hi, sorry to bother you again with isp questions but i wanted know if
> there are any things such as daemons, ports/packages that i should
> automatically disable.  THANKS

You should disable anything you don't need. In particular it's a good idea
to disable telnetd, rshd, rlogind, etc. and enable only sshd. You can have
/etc/inetd.conf point these services to a shell script that prints out why
they are disabled and asks them to use ssh. You should really disable any-
thing you don't need; ftpd is a good candidate. Many people have computers
dedicated to local SMB or http but leave services like ftpd and telnetd on
for no apparent reason.

As to what you should _en_able, you should definitely look into xinetd, an
enhanced (security-wise and otherwise) replacement for inetd.  I recommend
that you use sshd for remote logins instead of telnetd, but this isn't all
that necessary if the machine is going to be running on a trusted network,
with no access from the outside. tcp_wrappers might also be a wise choice.
-- 
   ________________ _______________________________
  / Nathan Dorfman V PGP: finger nathan@rtfm.net  /
 / nathan@rtfm.net |    http://www.rtfm.net      /