Date: Fri, 12 May 2006 15:25:44 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Eric Schuele <e.schuele@computer.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Pros and Cons of running under inetd.... Message-ID: <6.0.0.22.2.20060512152402.026a60c8@mail.computinginnovations.com> In-Reply-To: <4464CEDA.80906@computer.org> References: <4464B95D.1040702@computer.org> <20060512171515.GC34035@catflap.slightlystrange.org> <4464CEDA.80906@computer.org>
index | next in thread | previous in thread | raw e-mail
inetd running is discouraged. Instead run the daemons on boot using rc
scripts. If you look back in the history, inetd running is a security
risk, and was discouraged in the 5.X releases.
-Derek
At 01:07 PM 5/12/2006, Eric Schuele wrote:
>Daniel Bye wrote:
>>On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote:
>>>Hello,
>>>
>>>I run sshd and ftpd on my laptop. I generally start them via:
>>> sshd_enable="YES"
>>> ftpd_enable="YES"
>>>in my rc.conf.
>>>
>>>What are the pros/cons of running them via inetd?
>>>
>>>This is in no way a high load or production machine. Just my laptop
>>>that I need access to from time to time.
>>>
>>>The one pro I have noticed (which is rather important to me) is that
>>>ftpd does not heed hosts.allow directives when NOT run via inetd. Am I
>>>correct in this? I prefer to use tcpwrappers to further protect my sshd
>>>and ftpd. I generally keep ftpd firewalled off from the world and when
>>>someone needs to (anonymous) ftp something to me I open the firewall.
>>>But it would be nice to allow only their IP using hosts.allow (as I just
>>>enable/disable a generic ruleset in ipfw). So should I forget to
>>>disable the ruleset in ipfw then I am not open all day till I reboot.
>
>Thanks for the response.
>
>>When sshd starts, it needs to generate keys and set up its cryptographic
>>environment, so you will notice a bit of lag before getting a login
>>prompt. This may or may not mean anything to you, depending on how
>>beefy your laptop is.
>>Check man sshd for the -i option.
>>sshd should, by default, be compiled with tcpwrappers support anyway.
>>You can test whether this is the case by putting something like this at
>>the top of your hosts.allow:
>>sshd : 127.0.0.1 : deny
>>and then try connecting on the loopback interface. If you see `refused
>>connect from localhost' in your /var/log/auth.log, then your sshd uses
>>hosts.allow and running it from inetd won't give you any benefit.
>
>Actually I have sshd under control. It works fine, and yes uses
>tcpwrappers by default.
>
>>I don't know about ftpd, as I don't use it.
>
>ftpd however does not seem to use them.
>
>>Dan
>
>Although I am curious about ftpd and tcpwrappers.... I am also interested
>in whether or not running these daemons under inetd is preferred or
>not. If so why? If not, why?
>
>--
>Regards,
>Eric
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20060512152402.026a60c8>