Commit Graph

72 Commits

Author SHA1 Message Date
obrien
c3fa754b3f Re-add lukemftpd. It has: PAM, MAC, per-class nologin files,
login.conf resource limits and features.
2006-08-31 17:15:10 +00:00
ceri
c06055baa8 The rpc.pcnfsd server was in the base for a little over seven minutes
back in 1994.  Change the example entry to point at the port, as per
the entries for uucpd et al.
2006-02-05 19:23:05 +00:00
nectar
a23214e059 Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely.  There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat.  It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
2005-06-10 20:52:36 +00:00
schweikh
91f34482ca Removed whitespace at BOF, EOL & EOF. 2004-06-06 11:46:29 +00:00
mlaier
7f9c2ff639 Style:
- do not comment out entries in newsyslog.conf
 - use tabs to line up inetd.conf

Requested by:	bde
Approved by:	bms(mentor)
2004-04-03 17:52:29 +00:00
des
43f880ead7 Turn on logging for tftpd. 2004-03-11 22:15:28 +00:00
mlaier
6288f397f9 ftp-proxy no longer lives in /usr/local/...
Noticed by:	Pyun YongHyeon
Approved by:	bms(mentor)
2004-03-10 15:06:17 +00:00
ale
fe0800a349 Fix typos.
Approved by:	blackend (mentor/implicitly)
2004-03-08 23:18:50 +00:00
mlaier
6be47b725d Link pf to the build and install:
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.

This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.

For those who want to go without pf; it provides a NO_PF knob to make.conf.

__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.

Approved by:	bms(mentor)
2004-03-08 22:03:29 +00:00
markm
7c32cdbb93 Bit of modernising. Remove old KerberosIV entries, add example
sshd entries, sort internal services the same as everywhere
else.
2003-06-09 21:04:30 +00:00
yar
eb27dda81d Since FreeBSD has never had a stock NNTP server, move the nntp line
down to the section of optional mail/news services.  Change the nntpd
location to /usr/local/libexec since it's an optional software.

Henceforth, nntpd will be advised to run as "news", which is a
standard user in the system, instead of "usenet", which has never
existed in the default master.passwd(5).
Note: It's not "news:news" since inetd(8) runs a service at the
specified user's login group by default.

Add a blank comment line above the uucpd line so the section looks uniform.

Partly pointed out by:	Alexey Neyman <alex.neyman at auriga.ru>
MFC after:		1 week
2003-06-06 08:54:29 +00:00
obrien
5a20d2febf [DAIVD O'BRIEN's OPINION]
Head off what I think is an abuse of the TRB, and disable lukemftpd.
2002-11-12 17:31:12 +00:00
obrien
b24557e6f0 Tweak the warning language. 2002-10-29 08:41:12 +00:00
rwatson
25c64c35f4 # WARNING: lukemftpd does not support PAM, MAC, per-class nologin files,
# or any login.conf resource limits or features; use it only if this is
# appropriate for your environment.  If you require these features, use
# the regular FreeBSD ftpd below.

Discourage users from using lukemftpd if they rely any of these standard
FreeBSD features that are fully supported by our native ftpd.  There
may be other features that are not yet supported that I have not yet
discovered.
2002-10-24 15:46:10 +00:00
gordon
07b40589c7 Correct comment. We use rpcbind now, not portmap
Submitted by:	Mike Makonnen <makonnen@pacbell.net>
2002-08-09 17:34:13 +00:00
ume
a9a33dfb17 Add an IPv6 sample line for tftpd.
MFC after:	2 weeks
2002-04-11 17:17:28 +00:00
obrien
6e00963ef6 Add a sample line for lukemftp. 2002-03-26 19:54:12 +00:00
dd
43a9719eeb In the words of the submitter:
Kerberized CVS (kserver) listens on the same port as normal CVS
        (pserver).  In /etc/inetd.conf cvs kserver is disabled by default,
        but set to listen to the service port 'cvs' which doesn't exist.  It
        should listen to 'cvspserver'.

PR:		34317
Submitted by:	Sean Chittenden <sean@chittenden.org>
2002-03-09 04:55:35 +00:00
maxim
314e99cda2 Fix a typo in swat example.
Spotted by:	Sergey Osokin <osa@freebsd.org.ru>
Reviewed by:	ru
Approved by:	ru
MFC after:	1 week
2002-02-13 08:21:45 +00:00
obrien
009e6f2073 Chroot to /tftpboot for tftp.
Reviewed by:	mdodd, peter
2001-10-22 01:46:53 +00:00
obrien
c08ea910e4 Fix tabbing damage in last commit. 2001-10-10 17:26:27 +00:00
jkh
6f03352a6e Add commented-out/prototype entries for samba's swat configuration tool.
Requested by:	"William Wong" <willwong@samurai.com>
MFC after:	1 week
2001-10-03 05:30:56 +00:00
kris
95c83a036d Move the uucpd entry down a bit to live with other optional services
and correct the path to /usr/local as an example.

Submitted by:	ru
2001-10-01 09:16:42 +00:00
rwatson
4f9a35a47b Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd.  This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production.  Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments.  In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk.  This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.

To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.

While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.

Reviewed by:	imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
peter
4a1d0730d3 Integrate the IPv6 entries with the rest of them to avoid things getting
out of sync.  A similar change was made by itojun on the OpenBSD tree
a few weeks ago.  This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
kris
9753316e35 Disable rsh and rlogin by default. ssh and telnet are still available for
remote access on default installations.
2000-10-04 07:56:16 +00:00
jkh
01476c6091 Turn fingerd OFF by default. Comparative essentials like telnetd
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
2000-10-03 00:08:15 +00:00
jhb
c51ef0a20c Fix a misspelling in the comments for tha IPv6 auth service and change them
to more closely resembles those in the IPv4 sction.
2000-03-25 21:17:24 +00:00
shin
ad31bfc5ee Fix a typo. (s/eExample/Example/)
Submitted by: Robert Muir <rmuir@looksharp.net>
2000-03-05 20:23:44 +00:00
shin
23e5b71734 Add IPv6 services into inetd.conf.
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.

Approved by: jkh
Suggested by: peter
2000-02-27 18:39:34 +00:00
dbaker
adefa8db94 Include a note below the example qmail entry that mentions that inetd is
no longer the correct way to have qmail handle incoming qmail smtp
connections.  Also provide a url to the correct method.
2000-01-10 20:02:28 +00:00
peter
3e1f24ecce Update the cvs pserver example so that it gives some more obvious clues
about the --allow-root switch.

PR:		14463
1999-12-26 15:18:58 +00:00
peter
289c0d262f $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
green
42edab1b9c Add -n to the example and explanation of the internal auth service. 1999-07-24 17:19:54 +00:00
sheldonh
6a0edb4a00 Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
1999-07-23 15:49:34 +00:00
green
1ea4440a32 I think the last revision got lost here. Identd needs to be run as root,
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
1999-07-16 16:24:13 +00:00
sheldonh
b311ebd0a0 Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by:	green
1999-07-16 15:41:14 +00:00
green
9560f2b198 This is the working internal ident service. Turn it on by setting
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
1999-07-15 01:34:02 +00:00
ache
445bc1259b Due to recent pidentd port changes (switch to sysctl), identd must be
runned as root again, not kmem:kmem
1999-07-15 01:06:13 +00:00
dillon
557d938d62 comsat sandbox prevents biff/comsat from being able to print partial
mailbox contents.  comsat instead simply prints that new mail is
    available.  Add appropriate comment to inetd.conf but leave comsat in
    sandbox.
1998-12-01 22:01:59 +00:00
dillon
dd3c1b5f96 Added group bind(53), added sandbox users tty(4), kmem(5), and bind(53),
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
    the (commented out) ident from the kmem sandbox.

    Note that it is necessary to give each group access it's own uid to
    prevent programs running under a single uid from being able to gdb
    or otherwise mess with other programs (with different group perms) running
    under the same uid.
1998-12-01 21:19:49 +00:00
phk
bb11f17d51 Add example for the internal "ident server". 1998-11-04 19:42:35 +00:00
wosch
31d07cd031 Limit the fingerd daemon to:
runs only 3 simultaneous fingerd processes and
        limit the connections-per-ip-per-minute to 10.
1998-09-30 16:12:40 +00:00
brian
387abc60ff Add Id keywords 1998-09-02 01:34:57 +00:00
markm
1a6e7e5848 Clean up the kerberos entries, and add example CVS entries 1998-08-15 17:32:27 +00:00
hoek
43d214a191 MFC: sample qmail entry. 1998-07-18 20:01:03 +00:00
jkh
4e4a882344 Restore the Samba entries which were spammed when someone added
the imap4 entry.
1997-09-28 22:25:29 +00:00
ache
cf438dc102 Add commented out example entry for imap4 1997-01-12 17:55:16 +00:00
peter
0a257647ab The kerberised network services should only be active in inetd.conf
if kerberos is installed.  So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers.  They do not know how to interpret messages such as
"rlogind: unknown option -k".

I believe Garrett also mentioned this.

Unfortunately, this adds an extra step to bringing up kerberos.

It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
1996-11-10 13:06:14 +00:00
pst
3a785907a3 In the brave new world, that that does not make us strong, kills us.
Turn OFF the "small servers" by default.  FreeBSD systems should only
serve actively used programs.  Jewels like chargen and echo are too
useful in attack scenarios.
1996-10-02 03:52:58 +00:00