From owner-freebsd-questions Tue Feb 3 21:51:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA20606 for questions-outgoing; Tue, 3 Feb 1998 21:51:53 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from dove.peace.com.my (peace.com.my [202.184.153.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA20597 for ; Tue, 3 Feb 1998 21:51:44 -0800 (PST) (envelope-from panda@peace.com.my) Received: from lovebox (love.com.my [202.184.153.17]) by dove.peace.com.my (8.8.5/8.8.5) with SMTP id NAA14411 for ; Wed, 4 Feb 1998 13:36:57 +0800 (SGT) Date: Wed, 4 Feb 1998 13:36:57 +0800 (SGT) Message-Id: <3.0.32.19980204135923.0093ebb0@peace.com.my> X-Sender: panda@peace.com.my X-Mailer: Windows Eudora Pro Version 3.0 (32) To: freebsd-questions@FreeBSD.ORG From: chas Subject: minimalist /etc/services and /etc/inetd.conf Re: Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe questions" Following the advice of a security book to disable all un-required services, I was quite amazed at the default /etc/services for FBSD (using 2.1.7). Literally hundreds of weird and wonderful services. So far, I've trimmed it to : [snip] # - Sure that I need : ftp-data 20/tcp #File Transfer [Default Data] ftp-data 20/udp #File Transfer [Default Data] ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] telnet 23/tcp telnet 23/udp smtp 25/tcp mail #Simple Mail Transfer smtp 25/udp mail #Simple Mail Transfer http 80/tcp www www-http #World Wide Web HTTP poppassd 106/tcp pop2 109/tcp postoffice #Post Office Protocol - Version 2 pop3 110/tcp #Post Office Protocol - Version 3 # - Use on some of our machines : #domain 53/tcp #Domain Name Server #domain 53/udp #Domain Name Server # - Not sure but keeping just in case : tcpmux 1/tcp #TCP Port Service Multiplexer tcpmux 1/udp #TCP Port Service Multiplexer echo 7/tcp echo 7/udp systat 11/tcp users #Active Users systat 11/udp users #Active Users daytime 13/tcp daytime 13/udp nameserver 42/tcp name #Host Name Server nameserver 42/udp name #Host Name Server auth 113/tcp ident tap #Authentication Service syslog 514/udp router 520/udp route routed [/snip] and I'm a bit wary of removing something that has other services dependent upon it. (All my Digital Unix boxes tend to keep echo/daytime and a few others.) But for a standard webserver, and mailserver for multiple domains, (with telnet/ftp access for myself) is there anything else that should be removed ? (or worse, anything that shouldn't have been culled) And my minimalist /etc/inetd.conf is : [snip] # - Kept from the default installation : ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l telnet stream tcp nowait root /usr/libexec/telnetd telnetd # Added : pop3 stream tcp nowait root /usr/local/libexec/popper popper poppassd stream tcp nowait root /usr/local/libexec/poppassd poppassd # - Default installation services which I've disabled : # shell stream tcp nowait root /usr/libexec/rshd rshd # login stream tcp nowait root /usr/libexec/rlogind rlogind # uucpd stream tcp nowait root /usr/libexec/uucpd uucpd # finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s # comsat dgram udp wait root /usr/libexec/comsat comsat # ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd # - Not sure if they can be disabled too : discard stream tcp nowait root internal discard dgram udp wait root internal chargen stream tcp nowait root internal daytime stream tcp nowait root internal time stream tcp nowait root internal echo stream tcp nowait root internal [snip] Would disabling discard,chargen,daytime,time have any adverse effects on other services ? chas