Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 May 2006 13:07:22 -0500
From:      Eric Schuele <e.schuele@computer.org>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Pros and Cons of running under inetd....
Message-ID:  <4464CEDA.80906@computer.org>
In-Reply-To: <20060512171515.GC34035@catflap.slightlystrange.org>
References:  <4464B95D.1040702@computer.org> <20060512171515.GC34035@catflap.slightlystrange.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Bye wrote:
> On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote:
>> Hello,
>>
>> I run sshd and ftpd on my laptop.  I generally start them via:
>>   sshd_enable="YES"
>>   ftpd_enable="YES"
>> in my rc.conf.
>>
>> What are the pros/cons of running them via inetd?
>>
>> This is in no way a high load or production machine.  Just my laptop
>> that I need access to from time to time.
>>
>> The one pro I have noticed (which is rather important to me) is that
>> ftpd does not heed hosts.allow directives when NOT run via inetd.  Am I
>> correct in this?  I prefer to use tcpwrappers to further protect my sshd 
>> and ftpd.  I generally keep ftpd firewalled off from the world and when 
>> someone needs to (anonymous) ftp something to me I open the firewall. 
>> But it would be nice to allow only their IP using hosts.allow (as I just 
>> enable/disable a generic ruleset in ipfw).  So should I forget to 
>> disable the ruleset in ipfw then I am not open all day till I reboot.
> 

Thanks for the response.

> When sshd starts, it needs to generate keys and set up its cryptographic
> environment, so you will notice a bit of lag before getting a login
> prompt.  This may or may not mean anything to you, depending on how
> beefy your laptop is.
> 
> Check man sshd for the -i option.
> 
> sshd should, by default, be compiled with tcpwrappers support anyway.
> You can test whether this is the case by putting something like this at
> the top of your hosts.allow:
> 
> sshd : 127.0.0.1 : deny
> 
> and then try connecting on the loopback interface.  If you see `refused
> connect from localhost' in your /var/log/auth.log, then your sshd uses
> hosts.allow and running it from inetd won't give you any benefit.
> 

Actually I have sshd under control.  It works fine, and yes uses 
tcpwrappers by default.

> I don't know about ftpd, as I don't use it.

ftpd however does not seem to use them.

> 
> Dan
> 

Although I am curious about ftpd and tcpwrappers.... I am also 
interested in whether or not running these daemons under inetd is 
preferred or not.  If so why?  If not, why?

-- 
Regards,
Eric



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4464CEDA.80906>