Date: Tue, 23 Nov 2010 20:41:17 -0600 From: Kevin Kinsey <kdk@daleco.biz> To: Dave <dave@g8kbv.demon.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: new user questions. (Before I back myself into a corner!) Message-ID: <4CEC7B4D.7000608@daleco.biz> In-Reply-To: <4CEC4677.7554.3BF9432E@dave.g8kbv.demon.co.uk> References: <4CEC4677.7554.3BF9432E@dave.g8kbv.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave wrote:
>
> Hi. Sorry ... <snip>
Hello, and welcome. And I made it a bit shorter ;-)
> I'd like to:-
> Have a ssh login via LAN available, I believe that's a standard feature,
> but I expressedly disabled that (well, told it not to implement it) when
> I orignaly installed the OS. Or have a VNC server running.
As someone mentioned:
sshd_enable="YES"
in /etc/rc.conf. You can then either a] reboot, or b] issue the
following with root privileges:
/etc/rc.d/sshd start
> Have a small web server, again I've read that Apache can do a good job,
> but I don't want (nor need) all it's facilities, in particular I need to
> lock it down so no "Put's" can happen for a start! The web pages are
> simple flat form, text and static graphics, with a little client side
> scripting, purely to find the client's local date and time, to select the
> graphic to serve.
I believe Beech had some advice on this. It's probably pretty good :-)
> Have a FTP server, so I can automate some of the web page graphics
> updates, from other systems that generate the data, and can FTP files
> across the LAN, also of course for general web page maintenance needs.
The base system ftpd is run from inetd, a "super server" which can serve
several small protocols. Have a look at /etc/inetd.conf. The first "real" line:
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
Uncomment that (remove the 'hash'), and save it (you'll have to be root
again, of course).
See if inetd is running:
$ pgrep inetd
If you get a number(PID), it's running. Otherwise, you'll probably need
to enable it. Again, you need:
inetd_enable="YES"
in /etc/rc.conf. Add the line and either a] reboot, or b] issue the
following with root privileges:
/etc/rc.d/inetd start
Sound familiar?
*IF* inetd was *already running*, all you should have to do is issue:
$ kill -HUP `pgrep inetd`
> It'd be nice to have a VPN endpoint, but not esential, as that is
> currently living on another W2k box. But in the long term perhaps. The
> only complication with that, is I need to be able to tunnel a UDP VoIP
> stream over/throug it. (I currently use Hamachi on Windows for that, it
> works well.) Also, the "other end" needs to live on a XP (or later)
> Laptop.
I'll leave vpn to someone more knowledgeable in that area. AFAIK you'll
have to install a port; /usr/ports/security/openvpn is likely the canonical
program, but, as I say, seek other advice on that fo' shizzle ;-)
> I would preffer to
> have FTP login's that are in no way related to any system login users.
I can't help with that either; check the docs on Beech's suggestions,
perhaps.
> Lastly, I have everything so far (on the Win2k box) working well with
> highly non standard (high numbered) ports. Even thoug it's "exposed"
> (via port forwarding in the router) to the outside, there is next to no
> "noise", (script kiddies, chinese hackers etc) poking arround my back
> passage.
>
> Of all the stuff I've read so far in the FreeBSD handbook, and a few
> other places, not one mention is made (that I can see so far) of how to
> set services for alternative port numbers?
That's generally in the configuration file for the server. This information
might be available in the manpage, if one exists.
For example:
$man sshd | col -bx > ~/sshd.txt
$ grep -c port ~/sshd.txt
22
So, there's at least 22 mentions of "port" in the sshd manpage.
As it turns out, there's a line in /etc/ssh/sshd_config that gives
it right away:
$ grep -i port /etc/ssh/sshd_config
#Port 22
# Disable legacy (protocol version 1) support in the server for new
#GatewayPorts no
So, remove the comment from the "Port 22" line, change the number
from the default 22 (222, perhaps, for memory's sake?) and either a]
reboot, or b] "kill -HUP `pgrep sshd`" (sounding REAL familiar now).
Incidentally, one might suggest that running on non-standard ports
is merely security by obscurity. In the case of sshd, at least, a
better solution might be to only allow key-based authentication; but,
as I said, that's just a suggestion. I have done such things myself
a time or two ... I kinda think I just delayed the inevitable in that
case, though.
> Lastly, as I don't want to break the existing NTP server, I may find
> another PC of similar spec, to mess with, witn some sort of impunity.
Well, as I mention, often you can enable and start these additional
services from the base system with little or no interruption to extant
services at all (which, IMHO, is exactly as a Real Server should work,
take that, M$). But I suppose we'd certainly understand. You might
even just get a Live-CD distribution and dink around with that. AFAIK,
you could run ftpd, inetd, and sshd temporarily on those just to get
a feel for how to administer them.
My $0.02,
Kevin D. Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CEC7B4D.7000608>