Commit Graph

49 Commits

Author SHA1 Message Date
rwatson
4f9a35a47b Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd.  This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production.  Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments.  In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk.  This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.

To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.

While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.

Reviewed by:	imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
peter
4a1d0730d3 Integrate the IPv6 entries with the rest of them to avoid things getting
out of sync.  A similar change was made by itojun on the OpenBSD tree
a few weeks ago.  This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
kris
9753316e35 Disable rsh and rlogin by default. ssh and telnet are still available for
remote access on default installations.
2000-10-04 07:56:16 +00:00
jkh
01476c6091 Turn fingerd OFF by default. Comparative essentials like telnetd
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
2000-10-03 00:08:15 +00:00
jhb
c51ef0a20c Fix a misspelling in the comments for tha IPv6 auth service and change them
to more closely resembles those in the IPv4 sction.
2000-03-25 21:17:24 +00:00
shin
ad31bfc5ee Fix a typo. (s/eExample/Example/)
Submitted by: Robert Muir <rmuir@looksharp.net>
2000-03-05 20:23:44 +00:00
shin
23e5b71734 Add IPv6 services into inetd.conf.
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.

Approved by: jkh
Suggested by: peter
2000-02-27 18:39:34 +00:00
dbaker
adefa8db94 Include a note below the example qmail entry that mentions that inetd is
no longer the correct way to have qmail handle incoming qmail smtp
connections.  Also provide a url to the correct method.
2000-01-10 20:02:28 +00:00
peter
3e1f24ecce Update the cvs pserver example so that it gives some more obvious clues
about the --allow-root switch.

PR:		14463
1999-12-26 15:18:58 +00:00
peter
289c0d262f $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
green
42edab1b9c Add -n to the example and explanation of the internal auth service. 1999-07-24 17:19:54 +00:00
sheldonh
6a0edb4a00 Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
1999-07-23 15:49:34 +00:00
green
1ea4440a32 I think the last revision got lost here. Identd needs to be run as root,
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
1999-07-16 16:24:13 +00:00
sheldonh
b311ebd0a0 Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by:	green
1999-07-16 15:41:14 +00:00
green
9560f2b198 This is the working internal ident service. Turn it on by setting
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
1999-07-15 01:34:02 +00:00
ache
445bc1259b Due to recent pidentd port changes (switch to sysctl), identd must be
runned as root again, not kmem:kmem
1999-07-15 01:06:13 +00:00
dillon
557d938d62 comsat sandbox prevents biff/comsat from being able to print partial
mailbox contents.  comsat instead simply prints that new mail is
    available.  Add appropriate comment to inetd.conf but leave comsat in
    sandbox.
1998-12-01 22:01:59 +00:00
dillon
dd3c1b5f96 Added group bind(53), added sandbox users tty(4), kmem(5), and bind(53),
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
    the (commented out) ident from the kmem sandbox.

    Note that it is necessary to give each group access it's own uid to
    prevent programs running under a single uid from being able to gdb
    or otherwise mess with other programs (with different group perms) running
    under the same uid.
1998-12-01 21:19:49 +00:00
phk
bb11f17d51 Add example for the internal "ident server". 1998-11-04 19:42:35 +00:00
wosch
31d07cd031 Limit the fingerd daemon to:
runs only 3 simultaneous fingerd processes and
        limit the connections-per-ip-per-minute to 10.
1998-09-30 16:12:40 +00:00
brian
387abc60ff Add Id keywords 1998-09-02 01:34:57 +00:00
markm
1a6e7e5848 Clean up the kerberos entries, and add example CVS entries 1998-08-15 17:32:27 +00:00
hoek
43d214a191 MFC: sample qmail entry. 1998-07-18 20:01:03 +00:00
jkh
4e4a882344 Restore the Samba entries which were spammed when someone added
the imap4 entry.
1997-09-28 22:25:29 +00:00
ache
cf438dc102 Add commented out example entry for imap4 1997-01-12 17:55:16 +00:00
peter
0a257647ab The kerberised network services should only be active in inetd.conf
if kerberos is installed.  So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers.  They do not know how to interpret messages such as
"rlogind: unknown option -k".

I believe Garrett also mentioned this.

Unfortunately, this adds an extra step to bringing up kerberos.

It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
1996-11-10 13:06:14 +00:00
pst
3a785907a3 In the brave new world, that that does not make us strong, kills us.
Turn OFF the "small servers" by default.  FreeBSD systems should only
serve actively used programs.  Jewels like chargen and echo are too
useful in attack scenarios.
1996-10-02 03:52:58 +00:00
phk
166676b019 Add commented out example for bootps 1996-09-19 08:19:25 +00:00
graichen
33c5bdb9ab changed /etc/[daily,weekly,monthly] to not rotate the logfiles by
"hand", changed /etc/crontab to call /usr/sbin/newsyslog every hour
(the entry was there before - but we haven't had any newsyslog until
today :-) and changed /etc/inetd.conf to also contain (commentet out)
entries for rpc.rquotad and rpc.sprayd (taken from NetBSD)
1996-01-05 10:09:13 +00:00
joerg
7bbaffb06a Add /tftpboot as an argument to the commented-out example for tftp, so
people don't compromise their system by blindly un-commenting the
entry.
1995-12-23 17:12:49 +00:00
gibbs
fff68644b8 inetd.conf:
Add rkinit at 2108/tcp.

services:
Add rkinitd.
1995-09-15 22:02:06 +00:00
ache
4c0fc42609 Restore tabs in inetd line
Submitted by:
Obtained from:
1995-07-29 22:22:08 +00:00
ache
91068e770d Rename in.identd -> identd according recent ports rename 1995-07-27 23:56:43 +00:00
ache
1def5e1133 Add ident (commented out) 1995-04-08 16:21:45 +00:00
wollman
1edc2b89b7 Disable UDP echo, chargen, date, and daytime services. 1994-12-21 20:32:44 +00:00
ache
62df3ff3bf Uncomment uucpd by default, it is working and secure now 1994-12-19 01:11:19 +00:00
ats
f8fe134136 Change the example line for popper to point to /usr/local/libexec/popper
instead of /usr/local/etc/popper. The 2.0 installation installs it there.
1994-11-18 20:01:21 +00:00
pst
44fa065838 Secure fingerd by default 1994-09-29 09:58:07 +00:00
pst
8f24a60e02 Disable rexecd by default (major security hole) 1994-09-29 09:20:40 +00:00
pst
67a603f237 Add an entry for pcnfsd (commented out) 1994-09-28 17:09:38 +00:00
wollman
2fc5eb3a37 Added comment about registerd and kpasswdd not working in 1.x.
Deleted commented-out line which would start mountd; that's not
the right pplace to do it (don't confuse the users).
Should probablyhave uncommented rpc.rstatd, but didn't.
1994-06-13 22:41:04 +00:00
ache
6c64af0e2d Comment out uucpd, not properly configured as default
Comment out walld/rusersd/rstatd, may be too verbose
1994-05-31 17:55:38 +00:00
ache
35f3f7b273 Uncomment uucpd, now it works
Uncomment rstatd/rusersd/rwalld all three worked
mountd still commented out, I remember some problem with it
1994-05-31 04:48:49 +00:00
ats
4556f1260d Added entries for sup into services.
Added an example entry for the pop3 popper into inetd.conf as a comment.
1993-12-05 16:39:47 +00:00
rgrimes
e6583ac1c8 Change space to tab in ruserd line per Guido van Rooij 1993-10-21 17:34:32 +00:00
rgrimes
2b3bba7d0e Disable rpc services so that inetd no longer hangs when you are not
running portmapper.  These are site specific functionality and should only
be enabled for sites that want them, not by default.

These services REQUIRE portmapper to be running
1993-10-13 06:32:06 +00:00
jtc
b4519e3028 Entries so RPC servers are started. 1993-09-23 17:41:08 +00:00
rgrimes
3e9bf738cf Added /etc/networks to the files that get installed, some how it got
dropped out of the Makefile.  Commented out talk in inetd.conf since
it refers to the old non-existent otalkd.
1993-09-02 11:10:02 +00:00
rgrimes
241ccdeaf3 Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 13:41:45 +00:00