Re: Is inetd needed on a web server + PostgreSQL?
On Tue, Nov 07, 2006 at 01:23:17PM +0100, Alexander Farber wrote: On 11/7/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/11/07 12:36, Alexander Farber wrote: Do you think I still need to run inetd? I've looked through the /etc/inetd.conf and there are only 2 time services + ident. I think I don't need those 3 services either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file). So do you think I could switch inetd down or do I miss something? If you're looking to increase security, it's probably better to spend your time looking for some alternative to phpBB (or keeping a close eye on access_log irregularities and security fixes). No, not security - just to save some memory + CPU inetd consumes no CPU after startup unless it actually is used, and no measurable amount of memory. Disabling it doesn't hurt, but it doesn't help either. And also, do I need these getty processes if I only use ssh and serial console? What's the benefit? Someone with physical access can't login at the console? (but they can do that anyway, by rebooting the box into single- user mode). The only thing I can see this doing is causing extra pain if there's a problem. My root-server costs me only 20 Euro/month. For that money no support will ever login into it from console and they support only Linux anyway (I've installed OpenBSD remotely by dd if=floppy40.fs of=/dev/hda) I'm just asking here about the getty processes, so that I don't lock myself out and have to reinstall everything from scratch. You could probably make do without getty, but why? Again, they take no CPU after startup and no measurable amount of memory. And if you ever do have to get the box going after you've somehow shot ssh (and it's not like that isn't going to happen at some point), they might be very useful. I suppose you *do* have some sort of 'serial console' access? It's not really SSH-only, I hope? (This would make installs, upgrades, and attempts at repair very, very painful.) Joachim
Is inetd needed on a web server + PostgreSQL?
Hello, I have a small web server (OpenBSD 4.0 stable) running phpBB with PostgreSQL. Then there is sshd @ port 443 and default sendmail @ localhost.25. Do you think I still need to run inetd? I've looked through the /etc/inetd.conf and there are only 2 time services + ident. I think I don't need those 3 services either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file). So do you think I could switch inetd down or do I miss something? And also, do I need these getty processes if I only use ssh and serial console? root 22089 0.0 0.1 212 556 C0 Is+ Fri10AM0:00.01 /usr/libexec/getty Pc ttyC0 root 15055 0.0 0.1 296 548 C1 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC1 root 11962 0.0 0.1 248 548 C2 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC2 root 31899 0.0 0.1 368 532 C3 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC3 root 4805 0.0 0.1 224 552 C5 Is+ Fri10AM0:00.01 /usr/libexec/getty Pc ttyC5 Could you please tell me, where to switch them off? (I've searched in man -k tty) Thank you Alex PS: Here is my pf.conf and the list of processes (which I'd like to reduce a bit): $ sudo cat /etc/pf.conf ext_if = fxp0 priv_nets = { 127/8 192.168/16 172.16/12 10/8 } allow_ports = { www https } set loginterface $ext_if scrub in block in log pass out keep state set skip on lo antispoof quick for $ext_if block quick on $ext_if from $priv_nets block quick log on $ext_if to $priv_nets # don't allow PHP-worms to propagate block out quick log on $ext_if proto { tcp, udp } all user www pass in on $ext_if proto tcp from any to $ext_if port $allow_ports keep state $ ps uax USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1 0.0 0.1 468 332 ?? SsFri10AM0:00.02 /sbin/init root 29156 0.0 0.1 372 524 ?? IsFri10AM0:00.01 syslogd: [priv] (syslogd) _syslogd 10485 0.0 0.1 400 528 ?? S Fri10AM0:00.73 syslogd -a /var/empty/dev/log root 16401 0.0 0.1 392 392 ?? IsFri10AM0:00.02 pflogd: [priv] (pflogd) _pflogd 5650 0.0 0.1 460 336 ?? S Fri10AM0:12.33 pflogd: [running] -s 116 -f /var/log/pflog (pflogd) root 31027 0.0 0.1 284 628 ?? IsFri10AM0:00.02 inetd root 3513 0.0 0.1 520 688 ?? SsFri10AM0:00.76 cron _postgresql 29103 0.0 0.7 2280 3564 ?? S Fri10AM0:30.20 postmaster: writer process(postgres) _postgresql 23152 0.0 0.3 3296 1704 ?? S Fri10AM0:01.05 postmaster: stats buffer process(postgres) _postgresql 16977 0.0 0.2 2344 1084 ?? I Fri10AM0:01.37 postmaster: stats collector process(postgres) root 30114 0.0 0.3 1192 1764 ?? SsFri10AM0:11.32 sendmail: accepting connections (sendmail) _postgresql 10976 0.0 0.7 2984 3732 ?? I 8:41AM0:00.02 postmaster: phpbb phpbb [local] idle (postgres) root 15676 0.0 0.2 492 1180 ?? Is10:10AM0:00.16 /usr/sbin/sshd root 29248 0.0 0.4 3184 2184 ?? Is10:17AM0:00.09 sshd: afarber [priv] (sshd) afarber 32251 0.0 0.3 3188 1464 ?? S 10:17AM0:00.76 sshd: [EMAIL PROTECTED] (sshd) www 19705 0.0 1.2 2736 6080 ?? Ss11:52AM0:00.21 httpd: parent [chroot /var/www] (httpd) www 14868 0.0 1.0 3036 5004 ?? I 11:52AM0:00.81 httpd: child (httpd) www 23367 0.0 0.9 3008 4936 ?? I 11:52AM0:00.73 httpd: child (httpd) www 2800 0.0 1.0 3068 5068 ?? I 11:52AM0:00.71 httpd: child (httpd) www 14936 0.0 1.0 3064 5020 ?? I 11:52AM0:00.83 httpd: child (httpd) www 32295 0.0 0.9 3020 4912 ?? I 11:52AM0:00.71 httpd: child (httpd) www 13521 0.0 0.9 3012 4956 ?? I 11:53AM0:00.41 httpd: child (httpd) www 10874 0.0 0.9 3032 4932 ?? I 11:55AM0:00.59 httpd: child (httpd) afarber 4852 0.0 0.1 460 512 p0 Is+ 10:17AM0:00.07 -ksh (ksh) afarber 31856 0.0 0.1 460 480 p1 Is 8:40AM0:00.01 /bin/ksh afarber 17658 0.0 0.0 364 228 p3 R+12:30PM0:00.00 ps -uax _postgresql 22404 0.0 0.6 2288 2916 00- I Fri10AM0:02.49 /usr/local/bin/postmaster -D /var/postgresql/data -D /var/postgresql/data root 3374 0.0 0.1 264 548 00 Is+ Fri10AM0:00.01 /usr/libexec/getty std.57600 tty00 root 22089 0.0 0.1 212 556 C0 Is+ Fri10AM0:00.01 /usr/libexec/getty Pc ttyC0 root 15055 0.0 0.1 296 548 C1 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC1 root 11962 0.0 0.1 248 548 C2 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC2 root 31899 0.0 0.1 368 532 C3 Is+ Fri10AM0:00.00 /usr/libexec/getty Pc ttyC3 root 4805 0.0 0.1 224 552 C5 Is+ Fri10AM0:00.01 /usr/libexec/getty Pc ttyC5 $ netstat -a | grep LISTEN | grep -vw tcp6 tcp0 0 *.www *.*
Re: Is inetd needed on a web server + PostgreSQL?
On 2006/11/07 12:36, Alexander Farber wrote: I have a small web server (OpenBSD 4.0 stable) running phpBB with PostgreSQL. Do you think I still need to run inetd? I've looked through the /etc/inetd.conf and there are only 2 time services + ident. I think I don't need those 3 services either (my PostgeSQL listens only to the /var/www/tmp/.s.PGSQL.5432 file). So do you think I could switch inetd down or do I miss something? If you're looking to increase security, it's probably better to spend your time looking for some alternative to phpBB (or keeping a close eye on access_log irregularities and security fixes). And also, do I need these getty processes if I only use ssh and serial console? What's the benefit? Someone with physical access can't login at the console? (but they can do that anyway, by rebooting the box into single- user mode). The only thing I can see this doing is causing extra pain if there's a problem. You didn't mention disabling PasswordAuthentication in sshd, that's probably a lot more useful. Could you please tell me, where to switch them off? (I've searched in man -k tty) ttys(5)