adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
the (commented out) ident from the kmem sandbox.
Note that it is necessary to give each group access it's own uid to
prevent programs running under a single uid from being able to gdb
or otherwise mess with other programs (with different group perms) running
under the same uid.
if kerberos is installed. So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers. They do not know how to interpret messages such as
"rlogind: unknown option -k".
I believe Garrett also mentioned this.
Unfortunately, this adds an extra step to bringing up kerberos.
It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
Turn OFF the "small servers" by default. FreeBSD systems should only
serve actively used programs. Jewels like chargen and echo are too
useful in attack scenarios.
"hand", changed /etc/crontab to call /usr/sbin/newsyslog every hour
(the entry was there before - but we haven't had any newsyslog until
today :-) and changed /etc/inetd.conf to also contain (commentet out)
entries for rpc.rquotad and rpc.sprayd (taken from NetBSD)
Deleted commented-out line which would start mountd; that's not
the right pplace to do it (don't confuse the users).
Should probablyhave uncommented rpc.rstatd, but didn't.
running portmapper. These are site specific functionality and should only
be enabled for sites that want them, not by default.
These services REQUIRE portmapper to be running
