Commit Graph

61 Commits

Author SHA1 Message Date
obrien
5a20d2febf [DAIVD O'BRIEN's OPINION]
Head off what I think is an abuse of the TRB, and disable lukemftpd.
2002-11-12 17:31:12 +00:00
obrien
b24557e6f0 Tweak the warning language. 2002-10-29 08:41:12 +00:00
rwatson
25c64c35f4 # WARNING: lukemftpd does not support PAM, MAC, per-class nologin files,
# or any login.conf resource limits or features; use it only if this is
# appropriate for your environment.  If you require these features, use
# the regular FreeBSD ftpd below.

Discourage users from using lukemftpd if they rely any of these standard
FreeBSD features that are fully supported by our native ftpd.  There
may be other features that are not yet supported that I have not yet
discovered.
2002-10-24 15:46:10 +00:00
gordon
07b40589c7 Correct comment. We use rpcbind now, not portmap
Submitted by:	Mike Makonnen <makonnen@pacbell.net>
2002-08-09 17:34:13 +00:00
ume
a9a33dfb17 Add an IPv6 sample line for tftpd.
MFC after:	2 weeks
2002-04-11 17:17:28 +00:00
obrien
6e00963ef6 Add a sample line for lukemftp. 2002-03-26 19:54:12 +00:00
dd
43a9719eeb In the words of the submitter:
Kerberized CVS (kserver) listens on the same port as normal CVS
        (pserver).  In /etc/inetd.conf cvs kserver is disabled by default,
        but set to listen to the service port 'cvs' which doesn't exist.  It
        should listen to 'cvspserver'.

PR:		34317
Submitted by:	Sean Chittenden <sean@chittenden.org>
2002-03-09 04:55:35 +00:00
maxim
314e99cda2 Fix a typo in swat example.
Spotted by:	Sergey Osokin <osa@freebsd.org.ru>
Reviewed by:	ru
Approved by:	ru
MFC after:	1 week
2002-02-13 08:21:45 +00:00
obrien
009e6f2073 Chroot to /tftpboot for tftp.
Reviewed by:	mdodd, peter
2001-10-22 01:46:53 +00:00
obrien
c08ea910e4 Fix tabbing damage in last commit. 2001-10-10 17:26:27 +00:00
jkh
6f03352a6e Add commented-out/prototype entries for samba's swat configuration tool.
Requested by:	"William Wong" <willwong@samurai.com>
MFC after:	1 week
2001-10-03 05:30:56 +00:00
kris
95c83a036d Move the uucpd entry down a bit to live with other optional services
and correct the path to /usr/local as an example.

Submitted by:	ru
2001-10-01 09:16:42 +00:00
rwatson
4f9a35a47b Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd.  This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production.  Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments.  In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk.  This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.

To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.

While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.

Reviewed by:	imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
peter
4a1d0730d3 Integrate the IPv6 entries with the rest of them to avoid things getting
out of sync.  A similar change was made by itojun on the OpenBSD tree
a few weeks ago.  This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
kris
9753316e35 Disable rsh and rlogin by default. ssh and telnet are still available for
remote access on default installations.
2000-10-04 07:56:16 +00:00
jkh
01476c6091 Turn fingerd OFF by default. Comparative essentials like telnetd
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
2000-10-03 00:08:15 +00:00
jhb
c51ef0a20c Fix a misspelling in the comments for tha IPv6 auth service and change them
to more closely resembles those in the IPv4 sction.
2000-03-25 21:17:24 +00:00
shin
ad31bfc5ee Fix a typo. (s/eExample/Example/)
Submitted by: Robert Muir <rmuir@looksharp.net>
2000-03-05 20:23:44 +00:00
shin
23e5b71734 Add IPv6 services into inetd.conf.
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.

Approved by: jkh
Suggested by: peter
2000-02-27 18:39:34 +00:00
dbaker
adefa8db94 Include a note below the example qmail entry that mentions that inetd is
no longer the correct way to have qmail handle incoming qmail smtp
connections.  Also provide a url to the correct method.
2000-01-10 20:02:28 +00:00
peter
3e1f24ecce Update the cvs pserver example so that it gives some more obvious clues
about the --allow-root switch.

PR:		14463
1999-12-26 15:18:58 +00:00
peter
289c0d262f $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
green
42edab1b9c Add -n to the example and explanation of the internal auth service. 1999-07-24 17:19:54 +00:00
sheldonh
6a0edb4a00 Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
1999-07-23 15:49:34 +00:00
green
1ea4440a32 I think the last revision got lost here. Identd needs to be run as root,
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
1999-07-16 16:24:13 +00:00
sheldonh
b311ebd0a0 Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by:	green
1999-07-16 15:41:14 +00:00
green
9560f2b198 This is the working internal ident service. Turn it on by setting
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
1999-07-15 01:34:02 +00:00
ache
445bc1259b Due to recent pidentd port changes (switch to sysctl), identd must be
runned as root again, not kmem:kmem
1999-07-15 01:06:13 +00:00
dillon
557d938d62 comsat sandbox prevents biff/comsat from being able to print partial
mailbox contents.  comsat instead simply prints that new mail is
    available.  Add appropriate comment to inetd.conf but leave comsat in
    sandbox.
1998-12-01 22:01:59 +00:00
dillon
dd3c1b5f96 Added group bind(53), added sandbox users tty(4), kmem(5), and bind(53),
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
    the (commented out) ident from the kmem sandbox.

    Note that it is necessary to give each group access it's own uid to
    prevent programs running under a single uid from being able to gdb
    or otherwise mess with other programs (with different group perms) running
    under the same uid.
1998-12-01 21:19:49 +00:00
phk
bb11f17d51 Add example for the internal "ident server". 1998-11-04 19:42:35 +00:00
wosch
31d07cd031 Limit the fingerd daemon to:
runs only 3 simultaneous fingerd processes and
        limit the connections-per-ip-per-minute to 10.
1998-09-30 16:12:40 +00:00
brian
387abc60ff Add Id keywords 1998-09-02 01:34:57 +00:00
markm
1a6e7e5848 Clean up the kerberos entries, and add example CVS entries 1998-08-15 17:32:27 +00:00
hoek
43d214a191 MFC: sample qmail entry. 1998-07-18 20:01:03 +00:00
jkh
4e4a882344 Restore the Samba entries which were spammed when someone added
the imap4 entry.
1997-09-28 22:25:29 +00:00
ache
cf438dc102 Add commented out example entry for imap4 1997-01-12 17:55:16 +00:00
peter
0a257647ab The kerberised network services should only be active in inetd.conf
if kerberos is installed.  So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers.  They do not know how to interpret messages such as
"rlogind: unknown option -k".

I believe Garrett also mentioned this.

Unfortunately, this adds an extra step to bringing up kerberos.

It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
1996-11-10 13:06:14 +00:00
pst
3a785907a3 In the brave new world, that that does not make us strong, kills us.
Turn OFF the "small servers" by default.  FreeBSD systems should only
serve actively used programs.  Jewels like chargen and echo are too
useful in attack scenarios.
1996-10-02 03:52:58 +00:00
phk
166676b019 Add commented out example for bootps 1996-09-19 08:19:25 +00:00
graichen
33c5bdb9ab changed /etc/[daily,weekly,monthly] to not rotate the logfiles by
"hand", changed /etc/crontab to call /usr/sbin/newsyslog every hour
(the entry was there before - but we haven't had any newsyslog until
today :-) and changed /etc/inetd.conf to also contain (commentet out)
entries for rpc.rquotad and rpc.sprayd (taken from NetBSD)
1996-01-05 10:09:13 +00:00
joerg
7bbaffb06a Add /tftpboot as an argument to the commented-out example for tftp, so
people don't compromise their system by blindly un-commenting the
entry.
1995-12-23 17:12:49 +00:00
gibbs
fff68644b8 inetd.conf:
Add rkinit at 2108/tcp.

services:
Add rkinitd.
1995-09-15 22:02:06 +00:00
ache
4c0fc42609 Restore tabs in inetd line
Submitted by:
Obtained from:
1995-07-29 22:22:08 +00:00
ache
91068e770d Rename in.identd -> identd according recent ports rename 1995-07-27 23:56:43 +00:00
ache
1def5e1133 Add ident (commented out) 1995-04-08 16:21:45 +00:00
wollman
1edc2b89b7 Disable UDP echo, chargen, date, and daytime services. 1994-12-21 20:32:44 +00:00
ache
62df3ff3bf Uncomment uucpd by default, it is working and secure now 1994-12-19 01:11:19 +00:00
ats
f8fe134136 Change the example line for popper to point to /usr/local/libexec/popper
instead of /usr/local/etc/popper. The 2.0 installation installs it there.
1994-11-18 20:01:21 +00:00
pst
44fa065838 Secure fingerd by default 1994-09-29 09:58:07 +00:00