Re: Is inetd needed on a web server + PostgreSQL?
On Tue, Nov 07, 2006 at 01:23:17PM +0100, Alexander Farber wrote: On 11/7/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/11/07 12:36, Alexander Farber wrote: Do you think I still need to run inetd? I've looked through the /etc/inetd.conf and there are only 2 time services + ident. I think I don't need those 3 services either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file). So do you think I could switch inetd down or do I miss something? If you're looking to increase security, it's probably better to spend your time looking for some alternative to phpBB (or keeping a close eye on access_log irregularities and security fixes). No, not security - just to save some memory + CPU inetd consumes no CPU after startup unless it actually is used, and no measurable amount of memory. Disabling it doesn't hurt, but it doesn't help either. And also, do I need these getty processes if I only use ssh and serial console? What's the benefit? Someone with physical access can't login at the console? (but they can do that anyway, by rebooting the box into single- user mode). The only thing I can see this doing is causing extra pain if there's a problem. My root-server costs me only 20 Euro/month. For that money no support will ever login into it from console and they support only Linux anyway (I've installed OpenBSD remotely by dd if=floppy40.fs of=/dev/hda) I'm just asking here about the getty processes, so that I don't lock myself out and have to reinstall everything from scratch. You could probably make do without getty, but why? Again, they take no CPU after startup and no measurable amount of memory. And if you ever do have to get the box going after you've somehow shot ssh (and it's not like that isn't going to happen at some point), they might be very useful. I suppose you *do* have some sort of 'serial console' access? It's not really SSH-only, I hope? (This would make installs, upgrades, and attempts at repair very, very painful.) Joachim
Is inetd needed on a web server + PostgreSQL?
Hello,
I have a small web server (OpenBSD 4.0 stable) running phpBB with PostgreSQL.
Then there is sshd @ port 443 and default sendmail @ localhost.25.
Do you think I still need to run inetd? I've looked through the
/etc/inetd.conf and
there are only 2 time services + ident. I think I don't need those 3 services
either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file).
So do you think I could switch inetd down or do I miss something?
And also, do I need these getty processes if I only use ssh and serial console?
root 22089 0.0 0.1 212 556 C0 Is+ Fri10AM0:00.01
/usr/libexec/getty Pc ttyC0
root 15055 0.0 0.1 296 548 C1 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC1
root 11962 0.0 0.1 248 548 C2 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC2
root 31899 0.0 0.1 368 532 C3 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC3
root 4805 0.0 0.1 224 552 C5 Is+ Fri10AM0:00.01
/usr/libexec/getty Pc ttyC5
Could you please tell me, where to switch them off? (I've searched in
man -k tty)
Thank you
Alex
PS: Here is my pf.conf and the list of processes (which I'd like to
reduce a bit):
$ sudo cat /etc/pf.conf
ext_if = fxp0
priv_nets = { 127/8 192.168/16 172.16/12 10/8 }
allow_ports = { www https }
set loginterface $ext_if
scrub in
block in log
pass out keep state
set skip on lo
antispoof quick for $ext_if
block quick on $ext_if from $priv_nets
block quick log on $ext_if to $priv_nets
# don't allow PHP-worms to propagate
block out quick log on $ext_if proto { tcp, udp } all user www
pass in on $ext_if proto tcp from any to $ext_if port $allow_ports keep state
$ ps uax
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 1 0.0 0.1 468 332 ?? SsFri10AM0:00.02 /sbin/init
root 29156 0.0 0.1 372 524 ?? IsFri10AM0:00.01
syslogd: [priv] (syslogd)
_syslogd 10485 0.0 0.1 400 528 ?? S Fri10AM0:00.73
syslogd -a /var/empty/dev/log
root 16401 0.0 0.1 392 392 ?? IsFri10AM0:00.02
pflogd: [priv] (pflogd)
_pflogd 5650 0.0 0.1 460 336 ?? S Fri10AM0:12.33
pflogd: [running] -s 116 -f /var/log/pflog (pflogd)
root 31027 0.0 0.1 284 628 ?? IsFri10AM0:00.02 inetd
root 3513 0.0 0.1 520 688 ?? SsFri10AM0:00.76 cron
_postgresql 29103 0.0 0.7 2280 3564 ?? S Fri10AM0:30.20
postmaster: writer process(postgres)
_postgresql 23152 0.0 0.3 3296 1704 ?? S Fri10AM0:01.05
postmaster: stats buffer process(postgres)
_postgresql 16977 0.0 0.2 2344 1084 ?? I Fri10AM0:01.37
postmaster: stats collector process(postgres)
root 30114 0.0 0.3 1192 1764 ?? SsFri10AM0:11.32
sendmail: accepting connections (sendmail)
_postgresql 10976 0.0 0.7 2984 3732 ?? I 8:41AM0:00.02
postmaster: phpbb phpbb [local] idle (postgres)
root 15676 0.0 0.2 492 1180 ?? Is10:10AM0:00.16 /usr/sbin/sshd
root 29248 0.0 0.4 3184 2184 ?? Is10:17AM0:00.09
sshd: afarber [priv] (sshd)
afarber 32251 0.0 0.3 3188 1464 ?? S 10:17AM0:00.76
sshd: [EMAIL PROTECTED] (sshd)
www 19705 0.0 1.2 2736 6080 ?? Ss11:52AM0:00.21
httpd: parent [chroot /var/www] (httpd)
www 14868 0.0 1.0 3036 5004 ?? I 11:52AM0:00.81
httpd: child (httpd)
www 23367 0.0 0.9 3008 4936 ?? I 11:52AM0:00.73
httpd: child (httpd)
www 2800 0.0 1.0 3068 5068 ?? I 11:52AM0:00.71
httpd: child (httpd)
www 14936 0.0 1.0 3064 5020 ?? I 11:52AM0:00.83
httpd: child (httpd)
www 32295 0.0 0.9 3020 4912 ?? I 11:52AM0:00.71
httpd: child (httpd)
www 13521 0.0 0.9 3012 4956 ?? I 11:53AM0:00.41
httpd: child (httpd)
www 10874 0.0 0.9 3032 4932 ?? I 11:55AM0:00.59
httpd: child (httpd)
afarber 4852 0.0 0.1 460 512 p0 Is+ 10:17AM0:00.07 -ksh (ksh)
afarber 31856 0.0 0.1 460 480 p1 Is 8:40AM0:00.01 /bin/ksh
afarber 17658 0.0 0.0 364 228 p3 R+12:30PM0:00.00 ps -uax
_postgresql 22404 0.0 0.6 2288 2916 00- I Fri10AM0:02.49
/usr/local/bin/postmaster -D /var/postgresql/data -D
/var/postgresql/data
root 3374 0.0 0.1 264 548 00 Is+ Fri10AM0:00.01
/usr/libexec/getty std.57600 tty00
root 22089 0.0 0.1 212 556 C0 Is+ Fri10AM0:00.01
/usr/libexec/getty Pc ttyC0
root 15055 0.0 0.1 296 548 C1 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC1
root 11962 0.0 0.1 248 548 C2 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC2
root 31899 0.0 0.1 368 532 C3 Is+ Fri10AM0:00.00
/usr/libexec/getty Pc ttyC3
root 4805 0.0 0.1 224 552 C5 Is+ Fri10AM0:00.01
/usr/libexec/getty Pc ttyC5
$ netstat -a | grep LISTEN | grep -vw tcp6
tcp0 0 *.www *.*
Re: Is inetd needed on a web server + PostgreSQL?
On 2006/11/07 12:36, Alexander Farber wrote: I have a small web server (OpenBSD 4.0 stable) running phpBB with PostgreSQL. Do you think I still need to run inetd? I've looked through the /etc/inetd.conf and there are only 2 time services + ident. I think I don't need those 3 services either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file). So do you think I could switch inetd down or do I miss something? If you're looking to increase security, it's probably better to spend your time looking for some alternative to phpBB (or keeping a close eye on access_log irregularities and security fixes). And also, do I need these getty processes if I only use ssh and serial console? What's the benefit? Someone with physical access can't login at the console? (but they can do that anyway, by rebooting the box into single- user mode). The only thing I can see this doing is causing extra pain if there's a problem. You didn't mention disabling PasswordAuthentication in sshd, that's probably a lot more useful. Could you please tell me, where to switch them off? (I've searched in man -k tty) ttys(5)
