From owner-freebsd-stable  Tue Jul 31 21:45:41 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2432E37B401; Tue, 31 Jul 2001 21:45:32 -0700 (PDT)
	(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id WAA25667;
	Tue, 31 Jul 2001 22:45:30 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id WAA17669;
	Tue, 31 Jul 2001 22:45:30 -0600 (MDT)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15207.35178.61523.131897@nomad.yogotech.com>
Date: Tue, 31 Jul 2001 22:45:30 -0600 (MDT)
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: arch@FreeBSD.ORG, stable@FreeBSD.ORG
Subject: Disabling portmapper (was Re: Patch to modify default inetd.conf, have sysinstall prompt to edit , inetd.conf)
In-Reply-To: <Pine.NEB.3.96L.1010731233839.54921B-200000@fledge.watson.org>
References: <Pine.NEB.3.96L.1010731233839.54921B-200000@fledge.watson.org>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> One of the observations that has been made fairly frequently to me is that
> the current default inetd.conf puts many FreeBSD users at risk
> unnecessarily, as many of them have moved to using SSH for remote access
> needs.  In particular in light of the recent ftpd and telnetd security
> bugs, it seems like 4.4-RELEASE would be a good time to move to a more
> conservative default of having both of these services disabled in the base
> install, as both NetBSD and OpenBSD have moved to doing.

In the same vein, shouldn't we also have the portmapper 'disabled' out
of the box by default?  I know we haven't (yet) had any remote exploits
like Linux, but it may only be a matter of time.

Plus, the crap filling up the logs could be argued as a type of DoS.




Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message