diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-08-02 02:19:56 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-08-02 02:19:56 +0000 |
| commit | 4f9a35a47bfc7ab2e2bd6a15305928d80f80536c (patch) | |
| tree | aea9c0182b17935cecde3b1058c6d1c69dad15ee /etc/inetd.conf | |
| parent | c0c3e98f4e95e8f67f05ba234c31e59f26ae03d2 (diff) | |
| download | FreeBSD-src-4f9a35a47bfc7ab2e2bd6a15305928d80f80536c.zip FreeBSD-src-4f9a35a47bfc7ab2e2bd6a15305928d80f80536c.tar.gz | |
Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
Diffstat (limited to 'etc/inetd.conf')
| -rw-r--r-- | etc/inetd.conf | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/etc/inetd.conf b/etc/inetd.conf index a4d3953..2a06f4d 100644 --- a/etc/inetd.conf +++ b/etc/inetd.conf @@ -2,12 +2,14 @@ # # Internet server configuration database # -# define *both* IPv4 and IPv6 entries for dual-stack support. -# -ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l -telnet stream tcp nowait root /usr/libexec/telnetd telnetd -telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd +# Define *both* IPv4 and IPv6 entries for dual-stack support. +# To disable a service, comment it out by prefixing the line with '#'. +# To enable a service, remove the '#' at the beginning of the line. +# +#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l +#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l +#telnet stream tcp nowait root /usr/libexec/telnetd telnetd +#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd #shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind @@ -17,10 +19,13 @@ telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd #exec stream tcp nowait root /usr/libexec/rexecd rexecd #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd +# # run comsat as root to be able to print partial mailbox contents w/ biff, # or use the safer tty:tty to just print that new mail has been received. -comsat dgram udp wait tty:tty /usr/libexec/comsat comsat -ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd +#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat +# +# ntalk is required for the 'talk' utility to work correctly +#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd #tftp dgram udp wait nobody /usr/libexec/tftpd tftpd /tftpboot #bootps dgram udp wait root /usr/libexec/bootpd bootpd # |
