From owner-freebsd-questions@FreeBSD.ORG Wed Nov 24 02:41:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C3C6106564A for ; Wed, 24 Nov 2010 02:41:25 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.freebsd.org (Postfix) with ESMTP id 062118FC0A for ; Wed, 24 Nov 2010 02:41:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ezekiel.daleco.biz (8.14.3/8.14.2) with ESMTP id oAO2fOwZ047988; Tue, 23 Nov 2010 20:41:24 -0600 (CST) (envelope-from kdk@daleco.biz) X-Virus-Scanned: amavisd-new at daleco.biz Received: from ezekiel.daleco.biz ([127.0.0.1]) by localhost (ezekiel.daleco.biz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id H5FSnwQL0FyU; Tue, 23 Nov 2010 20:41:18 -0600 (CST) Received: from archangel.daleco.biz (ezekiel.daleco.biz [66.76.92.18]) by ezekiel.daleco.biz (8.14.3/8.14.3) with ESMTP id oAO2fFc8047984; Tue, 23 Nov 2010 20:41:16 -0600 (CST) (envelope-from kdk@daleco.biz) Message-ID: <4CEC7B4D.7000608@daleco.biz> Date: Tue, 23 Nov 2010 20:41:17 -0600 From: Kevin Kinsey User-Agent: Thunderbird 2.0.0.24 (X11/20100504) MIME-Version: 1.0 To: Dave References: <4CEC4677.7554.3BF9432E@dave.g8kbv.demon.co.uk> In-Reply-To: <4CEC4677.7554.3BF9432E@dave.g8kbv.demon.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: new user questions. (Before I back myself into a corner!) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2010 02:41:25 -0000 Dave wrote: > > Hi. Sorry ... Hello, and welcome. And I made it a bit shorter ;-) > I'd like to:- > Have a ssh login via LAN available, I believe that's a standard feature, > but I expressedly disabled that (well, told it not to implement it) when > I orignaly installed the OS. Or have a VNC server running. As someone mentioned: sshd_enable="YES" in /etc/rc.conf. You can then either a] reboot, or b] issue the following with root privileges: /etc/rc.d/sshd start > Have a small web server, again I've read that Apache can do a good job, > but I don't want (nor need) all it's facilities, in particular I need to > lock it down so no "Put's" can happen for a start! The web pages are > simple flat form, text and static graphics, with a little client side > scripting, purely to find the client's local date and time, to select the > graphic to serve. I believe Beech had some advice on this. It's probably pretty good :-) > Have a FTP server, so I can automate some of the web page graphics > updates, from other systems that generate the data, and can FTP files > across the LAN, also of course for general web page maintenance needs. The base system ftpd is run from inetd, a "super server" which can serve several small protocols. Have a look at /etc/inetd.conf. The first "real" line: #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l Uncomment that (remove the 'hash'), and save it (you'll have to be root again, of course). See if inetd is running: $ pgrep inetd If you get a number(PID), it's running. Otherwise, you'll probably need to enable it. Again, you need: inetd_enable="YES" in /etc/rc.conf. Add the line and either a] reboot, or b] issue the following with root privileges: /etc/rc.d/inetd start Sound familiar? *IF* inetd was *already running*, all you should have to do is issue: $ kill -HUP `pgrep inetd` > It'd be nice to have a VPN endpoint, but not esential, as that is > currently living on another W2k box. But in the long term perhaps. The > only complication with that, is I need to be able to tunnel a UDP VoIP > stream over/throug it. (I currently use Hamachi on Windows for that, it > works well.) Also, the "other end" needs to live on a XP (or later) > Laptop. I'll leave vpn to someone more knowledgeable in that area. AFAIK you'll have to install a port; /usr/ports/security/openvpn is likely the canonical program, but, as I say, seek other advice on that fo' shizzle ;-) > I would preffer to > have FTP login's that are in no way related to any system login users. I can't help with that either; check the docs on Beech's suggestions, perhaps. > Lastly, I have everything so far (on the Win2k box) working well with > highly non standard (high numbered) ports. Even thoug it's "exposed" > (via port forwarding in the router) to the outside, there is next to no > "noise", (script kiddies, chinese hackers etc) poking arround my back > passage. > > Of all the stuff I've read so far in the FreeBSD handbook, and a few > other places, not one mention is made (that I can see so far) of how to > set services for alternative port numbers? That's generally in the configuration file for the server. This information might be available in the manpage, if one exists. For example: $man sshd | col -bx > ~/sshd.txt $ grep -c port ~/sshd.txt 22 So, there's at least 22 mentions of "port" in the sshd manpage. As it turns out, there's a line in /etc/ssh/sshd_config that gives it right away: $ grep -i port /etc/ssh/sshd_config #Port 22 # Disable legacy (protocol version 1) support in the server for new #GatewayPorts no So, remove the comment from the "Port 22" line, change the number from the default 22 (222, perhaps, for memory's sake?) and either a] reboot, or b] "kill -HUP `pgrep sshd`" (sounding REAL familiar now). Incidentally, one might suggest that running on non-standard ports is merely security by obscurity. In the case of sshd, at least, a better solution might be to only allow key-based authentication; but, as I said, that's just a suggestion. I have done such things myself a time or two ... I kinda think I just delayed the inevitable in that case, though. > Lastly, as I don't want to break the existing NTP server, I may find > another PC of similar spec, to mess with, witn some sort of impunity. Well, as I mention, often you can enable and start these additional services from the base system with little or no interruption to extant services at all (which, IMHO, is exactly as a Real Server should work, take that, M$). But I suppose we'd certainly understand. You might even just get a Live-CD distribution and dink around with that. AFAIK, you could run ftpd, inetd, and sshd temporarily on those just to get a feel for how to administer them. My $0.02, Kevin D. Kinsey