d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9d8a81b4e4
freebsd-dev/etc/inetd.conf

120 lines
4.9 KiB
Plaintext
Raw Normal View History

$Id$ -> $FreeBSD$
1999-08-27 23:37:10 +00:00
# $FreeBSD$
Initial import of 386BSD 0.1 othersrc/etc
1993-06-20 13:41:45 +00:00
#
# Internet server configuration database
#
Default to disabling all inetd.conf entries, in particular, telnetd and ftpd. This more conservative default reduces the exposure of freshly installed machines, which is especially valuable for machines that receive minimal further configuration before being put into production. Generally speaking, SSH has superseded the use of both telnet and ftp in many environments. In light of recent remotely exploitable security holes in both telnetd and ftpd, this choice retains flexibility (both telnetd and ftpd daemons remain installed and easily enableable) while protecting users who don't need the additional risk. This change brings our configuration into line with the majority of other UNIX vendors, including OpenBSD and NetBSD. To address the concerns of those requiring remote access via telnet from first install, changes will shortly be committed to sysinstall to provide the ability to edit inetd.conf during the installation process, allowing telnetd and ftp to be re-enabled during the installation process. While I'm at it, slightly improve commenting for inetd.conf so that it's more clear to users how to enable and disable services. Further commenting to indicate the functions of various columns would probably also be useful. Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
# Define *both* IPv4 and IPv6 entries for dual-stack support.
# To disable a service, comment it out by prefixing the line with '#'.
# To enable a service, remove the '#' at the beginning of the line.
Initial import of 386BSD 0.1 othersrc/etc
1993-06-20 13:41:45 +00:00
#
Default to disabling all inetd.conf entries, in particular, telnetd and ftpd. This more conservative default reduces the exposure of freshly installed machines, which is especially valuable for machines that receive minimal further configuration before being put into production. Generally speaking, SSH has superseded the use of both telnet and ftp in many environments. In light of recent remotely exploitable security holes in both telnetd and ftpd, this choice retains flexibility (both telnetd and ftpd daemons remain installed and easily enableable) while protecting users who don't need the additional risk. This change brings our configuration into line with the majority of other UNIX vendors, including OpenBSD and NetBSD. To address the concerns of those requiring remote access via telnet from first install, changes will shortly be committed to sysinstall to provide the ability to edit inetd.conf during the installation process, allowing telnetd and ftp to be re-enabled during the installation process. While I'm at it, slightly improve commenting for inetd.conf so that it's more clear to users how to enable and disable services. Further commenting to indicate the functions of various columns would probably also be useful. Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
Bit of modernising. Remove old KerberosIV entries, add example sshd entries, sort internal services the same as everywhere else.
2003-06-09 21:04:30 +00:00
#ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
#ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6
Default to disabling all inetd.conf entries, in particular, telnetd and ftpd. This more conservative default reduces the exposure of freshly installed machines, which is especially valuable for machines that receive minimal further configuration before being put into production. Generally speaking, SSH has superseded the use of both telnet and ftp in many environments. In light of recent remotely exploitable security holes in both telnetd and ftpd, this choice retains flexibility (both telnetd and ftpd daemons remain installed and easily enableable) while protecting users who don't need the additional risk. This change brings our configuration into line with the majority of other UNIX vendors, including OpenBSD and NetBSD. To address the concerns of those requiring remote access via telnet from first install, changes will shortly be committed to sysinstall to provide the ability to edit inetd.conf during the installation process, allowing telnetd and ftp to be re-enabled during the installation process. While I'm at it, slightly improve commenting for inetd.conf so that it's more clear to users how to enable and disable services. Further commenting to indicate the functions of various columns would probably also be useful. Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
Disable rsh and rlogin by default. ssh and telnet are still available for remote access on default installations.
2000-10-04 07:56:16 +00:00
#shell stream tcp nowait root /usr/libexec/rshd rshd
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#shell stream tcp6 nowait root /usr/libexec/rshd rshd
Disable rsh and rlogin by default. ssh and telnet are still available for remote access on default installations.
2000-10-04 07:56:16 +00:00
#login stream tcp nowait root /usr/libexec/rlogind rlogind
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#login stream tcp6 nowait root /usr/libexec/rlogind rlogind
Add -k to the recommended fingerd(8) command line. MFC after: 2 weeks
2010-04-01 13:13:09 +00:00
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
Default to disabling all inetd.conf entries, in particular, telnetd and ftpd. This more conservative default reduces the exposure of freshly installed machines, which is especially valuable for machines that receive minimal further configuration before being put into production. Generally speaking, SSH has superseded the use of both telnet and ftp in many environments. In light of recent remotely exploitable security holes in both telnetd and ftpd, this choice retains flexibility (both telnetd and ftpd daemons remain installed and easily enableable) while protecting users who don't need the additional risk. This change brings our configuration into line with the majority of other UNIX vendors, including OpenBSD and NetBSD. To address the concerns of those requiring remote access via telnet from first install, changes will shortly be committed to sysinstall to provide the ability to edit inetd.conf during the installation process, allowing telnetd and ftp to be re-enabled during the installation process. While I'm at it, slightly improve commenting for inetd.conf so that it's more clear to users how to enable and disable services. Further commenting to indicate the functions of various columns would probably also be useful. Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
#
comsat sandbox prevents biff/comsat from being able to print partial mailbox contents. comsat instead simply prints that new mail is available. Add appropriate comment to inetd.conf but leave comsat in sandbox.
1998-12-01 22:01:59 +00:00
# run comsat as root to be able to print partial mailbox contents w/ biff,
# or use the safer tty:tty to just print that new mail has been received.
Default to disabling all inetd.conf entries, in particular, telnetd and ftpd. This more conservative default reduces the exposure of freshly installed machines, which is especially valuable for machines that receive minimal further configuration before being put into production. Generally speaking, SSH has superseded the use of both telnet and ftp in many environments. In light of recent remotely exploitable security holes in both telnetd and ftpd, this choice retains flexibility (both telnetd and ftpd daemons remain installed and easily enableable) while protecting users who don't need the additional risk. This change brings our configuration into line with the majority of other UNIX vendors, including OpenBSD and NetBSD. To address the concerns of those requiring remote access via telnet from first install, changes will shortly be committed to sysinstall to provide the ability to edit inetd.conf during the installation process, allowing telnetd and ftp to be re-enabled during the installation process. While I'm at it, slightly improve commenting for inetd.conf so that it's more clear to users how to enable and disable services. Further commenting to indicate the functions of various columns would probably also be useful. Reviewed by: imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
#
# ntalk is required for the 'talk' utility to work correctly
#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
Turn on logging for tftpd.
2004-03-11 22:15:28 +00:00
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#bootps dgram udp wait root /usr/libexec/bootpd bootpd
#
# "Small servers" -- used to be standard on, but we're more conservative
# about things due to Internet security concerns. Only turn on what you
# need.
#
#daytime stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#daytime stream tcp6 nowait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#daytime dgram udp wait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#daytime dgram udp6 wait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#time stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#time stream tcp6 nowait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#time dgram udp wait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#time dgram udp6 wait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#echo stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#echo stream tcp6 nowait root internal
Bit of modernising. Remove old KerberosIV entries, add example sshd entries, sort internal services the same as everywhere else.
2003-06-09 21:04:30 +00:00
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#discard stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#discard stream tcp6 nowait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#discard dgram udp wait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#discard dgram udp6 wait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#chargen stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#chargen stream tcp6 nowait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#chargen dgram udp wait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#chargen dgram udp6 wait root internal
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#
Update the cvs pserver example so that it gives some more obvious clues about the --allow-root switch. PR: 14463
1999-12-26 15:18:58 +00:00
# CVS servers - for master CVS repositories only! You must set the
# --allow-root path correctly or you open a trivial to exploit but
# deadly security hole.
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#
Remove CVS from the base system. Discussed with: many Reviewed by: peter, zi Approved by: core
2013-06-15 20:29:07 +00:00
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here pserver
#cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/your/cvsroot/here kserver
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#
Correct comment. We use rpcbind now, not portmap Submitted by: Mike Makonnen <makonnen@pacbell.net>
2002-08-09 17:34:13 +00:00
# RPC based services (you MUST have rpcbind running to use these)
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
The rpc.pcnfsd server was in the base for a little over seven minutes back in 1994. Change the example entry to point at the port, as per the entries for uucpd et al.
2006-02-05 19:23:05 +00:00
#pcnfsd/1-2 dgram rpc/udp wait root /usr/local/libexec/rpc.pcnfsd rpc.pcnfsd
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
- Add IPv6 support in quota(1). While rpc.rquotad has supported PF_INET6 for a long time, quota(1) utility supported only PF_INET. - Clean up confusing changes in f_mntfromname. - Add an entry for rquotad with rpc/udp6 to inetd.conf. PR: 194084
2015-07-07 20:15:09 +00:00
#rquotad/1 dgram rpc/udp6 wait root /usr/libexec/rpc.rquotad rpc.rquotad
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
#
# example entry for the optional pop3 server
#
Change the example line for popper to point to /usr/local/libexec/popper instead of /usr/local/etc/popper. The 2.0 installation installs it there.
1994-11-18 20:01:21 +00:00
#pop3 stream tcp nowait root /usr/local/libexec/popper popper
Added entries for sup into services. Added an example entry for the pop3 popper into inetd.conf as a comment.
1993-12-05 16:39:47 +00:00
#
Add commented out example entry for imap4
1997-01-12 17:55:16 +00:00
# example entry for the optional imap4 server
#
#imap4 stream tcp nowait root /usr/local/libexec/imapd imapd
#
Since FreeBSD has never had a stock NNTP server, move the nntp line down to the section of optional mail/news services. Change the nntpd location to /usr/local/libexec since it's an optional software. Henceforth, nntpd will be advised to run as "news", which is a standard user in the system, instead of "usenet", which has never existed in the default master.passwd(5). Note: It's not "news:news" since inetd(8) runs a service at the specified user's login group by default. Add a blank comment line above the uucpd line so the section looks uniform. Partly pointed out by: Alexey Neyman <alex.neyman at auriga.ru> MFC after: 1 week
2003-06-06 08:54:29 +00:00
# example entry for the optional nntp server
#
#nntp stream tcp nowait news /usr/local/libexec/nntpd nntpd
#
Move the uucpd entry down a bit to live with other optional services and correct the path to /usr/local as an example. Submitted by: ru
2001-10-01 09:16:42 +00:00
# example entry for the optional uucpd server
Since FreeBSD has never had a stock NNTP server, move the nntp line down to the section of optional mail/news services. Change the nntpd location to /usr/local/libexec since it's an optional software. Henceforth, nntpd will be advised to run as "news", which is a standard user in the system, instead of "usenet", which has never existed in the default master.passwd(5). Note: It's not "news:news" since inetd(8) runs a service at the specified user's login group by default. Add a blank comment line above the uucpd line so the section looks uniform. Partly pointed out by: Alexey Neyman <alex.neyman at auriga.ru> MFC after: 1 week
2003-06-06 08:54:29 +00:00
#
Move the uucpd entry down a bit to live with other optional services and correct the path to /usr/local as an example. Submitted by: ru
2001-10-01 09:16:42 +00:00
#uucpd stream tcp nowait root /usr/local/libexec/uucpd uucpd
#
Document the new {auth,ident,tap} service and provide examples in the configuration file. Requested by: green
1999-07-16 15:41:14 +00:00
# Return error for all "ident" requests
Add example for the internal "ident server".
1998-11-04 19:42:35 +00:00
#
Document the new {auth,ident,tap} service and provide examples in the configuration file. Requested by: green
1999-07-16 15:41:14 +00:00
#auth stream tcp nowait root internal
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#auth stream tcp6 nowait root internal
Add example for the internal "ident server".
1998-11-04 19:42:35 +00:00
#
Document the -o and -t options to the internal auth service and give an example of their usage in the sample config. Merge the two examples for the green internal auth service. This commit failed the first time around because Brian beat me to the punch on inetd.8 . I like my descriptions better and I'm pretty sure Brian won't mind.
1999-07-23 15:49:34 +00:00
# Provide internally a real "ident" service which provides ~/.fakeid support,
Add -n to the example and explanation of the internal auth service.
1999-07-24 17:19:54 +00:00
# provides ~/.noident support, reports UNKNOWN as the operating system type
# and times out after 30 seconds.
In the brave new world, that that does not make us strong, kills us. Turn OFF the "small servers" by default. FreeBSD systems should only serve actively used programs. Jewels like chargen and echo are too useful in attack scenarios.
1996-10-02 03:52:58 +00:00
#
Add -n to the example and explanation of the internal auth service.
1999-07-24 17:19:54 +00:00
#auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30
Integrate the IPv6 entries with the rest of them to avoid things getting out of sync. A similar change was made by itojun on the OpenBSD tree a few weeks ago. This should stop people disabling one server and forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
#auth stream tcp6 nowait root internal auth -r -f -n -o UNKNOWN -t 30
Document the new {auth,ident,tap} service and provide examples in the configuration file. Requested by: green
1999-07-16 15:41:14 +00:00
#
# Example entry for an external ident server
#
I think the last revision got lost here. Identd needs to be run as root, at least for now. I relegated the getcred sysctls to only root, but if they're deemed to be "allowable" to export to users, I'll do so and revert this change.
1999-07-16 16:24:13 +00:00
#auth stream tcp wait root /usr/local/sbin/identd identd -w -t120
Restore the Samba entries which were spammed when someone added the imap4 entry.
1997-09-28 22:25:29 +00:00
#
Include a note below the example qmail entry that mentions that inetd is no longer the correct way to have qmail handle incoming qmail smtp connections. Also provide a url to the correct method.
2000-01-10 20:02:28 +00:00
# Example entry for the optional qmail MTA
# NOTE: This is no longer the correct way to handle incoming SMTP
# connections for qmail. Use tcpserver (http://cr.yp.to/ucspi-tcp.html)
# instead.
MFC: sample qmail entry.
1998-07-18 20:01:03 +00:00
#
#smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd
#
Restore the Samba entries which were spammed when someone added the imap4 entry.
1997-09-28 22:25:29 +00:00
# Enable the following two entries to enable samba startup from inetd
Add commented-out/prototype entries for samba's swat configuration tool. Requested by: "William Wong" <willwong@samurai.com> MFC after: 1 week
2001-10-03 05:30:56 +00:00
# (from the Samba documentation). Enable the third entry to enable the swat
# samba configuration tool.
Restore the Samba entries which were spammed when someone added the imap4 entry.
1997-09-28 22:25:29 +00:00
#
Fix tabbing damage in last commit.
2001-10-10 17:26:27 +00:00
#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd
#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd
Fix a typo in swat example. Spotted by: Sergey Osokin <osa@freebsd.org.ru> Reviewed by: ru Approved by: ru MFC after: 1 week
2002-02-13 08:21:45 +00:00
#swat stream tcp nowait/400 root /usr/local/sbin/swat swat
Reference in New Issue Copy Permalink