From owner-freebsd-chat Tue Jul 28 02:22:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07272 for freebsd-chat-outgoing; Tue, 28 Jul 1998 02:22:16 -0700 (PDT) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from freefall.pipeline.ch (freefall.pipeline.ch [195.134.128.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07209; Tue, 28 Jul 1998 02:22:01 -0700 (PDT) (envelope-from andre@pipeline.ch) Received: from pipeline.ch ([195.134.128.41]) by freefall.pipeline.ch (Netscape Mail Server v2.02) with ESMTP id AAA322; Tue, 28 Jul 1998 11:20:21 +0200 Message-ID: <35BD97DE.2E242C6E@pipeline.ch> Date: Tue, 28 Jul 1998 11:20:30 +0200 From: "IBS / Andre Oppermann" Organization: Internet Business Solutions Ltd. (AG) X-Mailer: Mozilla 4.03 [en] (WinNT; U) MIME-Version: 1.0 To: Brett Glass CC: "Jan B. Koum" , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) References: <199807272300.RAA00688@lariat.lariat.org> <199807272354.RAA01585@lariat.lariat.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: -snip- > I do think that the section on eliminating inetd needs some fleshing out, > though. Some servers, such as all of the POP3 daemons I've tried, don't > seem to admit themselves to being run except from inetd. Also, the section > should discuss the dangers of having a server die without any automatic > means to resuscitate it. For example, the docs for identd warn against > running it without inetd, since if it quits it will not be restarted. > Perhaps a utility that checks for the presence of servers and restarts them > if they've died could be developed as part of this effort and perhaps added > to the FreeBSD distribution. There's a nice tool called tcpserver avail from DJB (we all love his coding style): ftp://koobera.math.uic.edu/www/ucspi-tcp.html The description: # tcpclient and tcpserver are easy-to-use command-line tools for building # TCP client-server applications. tcpclient makes a TCP connection and # runs a program of your choice. tcpserver waits for incoming connections # and, for each connection, runs a program of your choice. Your program # receives environment variables showing the local and remote host names, # IP addresses, and port numbers. # # tcpserver offers a concurrency limit to protect you from running out # of processes and memory. When you are handling 40 (by default) # simultaneous connections, tcpserver smoothly defers acceptance of # new connections. # # tcpserver also provides TCP access control features, similar to # tcp-wrappers/tcpd's hosts.allow but much faster. Its access control # rules are compiled into a hashed format with cdb, so it can easily # deal with thousands of different hosts. # # tcpclient and tcpserver conform to UCSPI, the UNIX Client-Server # Program Interface, using the TCP protocol. UCSPI tools are available # for several different networks. -- Andre Oppermann CEO / Geschaeftsfuehrer Internet Business Solutions Ltd. (AG) Hardstrasse 235, 8005 Zurich, Switzerland Fon +41 1 277 75 75 / Fax +41 1 277 75 77 http://www.pipeline.ch ibs@pipeline.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message