Re: Pros and Cons of running under inetd....
I did not give any more information about the security hole as I don't recall the exact exploit. However from my bad memory it was something that inet can inadvertently run an application which can easily get root privileges. Inet itself runs as root. If you want the real details, as I previously said, you can look it up in the security archives on the FreeBSD lists or in SANS postings at sans.org. -Derek At 08:35 PM 5/12/2006, [EMAIL PROTECTED] wrote: At 08:42 PM 5/12/2006, Eric Schuele wrote: You say tcpwrappers are compiled into ftpd? Are you sure? How can I "enable" or otherwise use them? If I add things to hosts.allow they seem to have no influence. This would solve my problem as I would not need inetd. My Bad. It seems it does not. It's running from inetd on the box I regularly edit hosts.allow on. The performance benefit inetd once offered -- not having a lot of background process for seldom used services -- is not a big deal today. But security-wise, spawning other programs that would just be directly listening on a port otherwise doesn't seem terribly insecure. Could it even be argued beneficial? -- you have a single, simple piece of code accepting the initial connections, instead of 20 processes doing the same thing with 20 different pieces of code, any one of which could have an exploit. If an exploit was conceived that could take advantage lots of programs listening on any old socket, it seems the vulnerability would be lessened, or at least easier to fix. I don't claim to be an expert security guy or OS programmer, but so far I haven't heard an explanation besides "don't do that". -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
There are two ways to run these at boot. The more standard way is to create an rc script in /usr/local/etc/rc.d Whatever scripts you create must have .sh extension to run at boot. For instance you would create ftp-proxy.sh in that directory with the single line to execute the ftp-proxy with any command line options you need or want. You would do the same creating a fam.sh file with the commandline for fam. The other metod is to run these from cron on boot, using the @reboot for the time to run these. You can do a man 5 crontab to see the exact syntax. As an aside, I have fam installed on one 6.1 server, but I believe it is being run from within gnome, as there is no entry for it to run in inet, rc scripts, or cron. -Derek At 05:24 AM 5/13/2006, dick hoogendijk wrote: On 12 May Eric Schuele wrote: > Derek Ragona wrote: > >Yes it is still true today. The default system now has inetd running > >nothing. And the ports now install rc scripts for these reasons. > > Not arguing here... everything I've found on the web says something > similar. > > But why do we have inetd? I assume it solved a problem in the past, > that no longer exists. Not to mention its spotted security history. > > >For network daemons, when they are running in a listen mode there is > >no real overhead on the system. OK, I run inetd for just these two services: # # FAM: File Alteration Monitor [devel/fam] sgi_fam/1-2 stream rpc/tcp wait root /usr/local/bin/fam fam # # an appropriate block rule to your pf.conf # ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy If inetd is a security risk how can I change these things to work without inetd? As I understand thare is no other way, but I'm very keen on learning ;-) -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 ++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
On 12 May Eric Schuele wrote: > Derek Ragona wrote: > >Yes it is still true today. The default system now has inetd running > >nothing. And the ports now install rc scripts for these reasons. > > Not arguing here... everything I've found on the web says something > similar. > > But why do we have inetd? I assume it solved a problem in the past, > that no longer exists. Not to mention its spotted security history. > > >For network daemons, when they are running in a listen mode there is > >no real overhead on the system. OK, I run inetd for just these two services: # # FAM: File Alteration Monitor [devel/fam] sgi_fam/1-2 stream rpc/tcp wait root /usr/local/bin/fam fam # # an appropriate block rule to your pf.conf # ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy If inetd is a security risk how can I change these things to work without inetd? As I understand thare is no other way, but I'm very keen on learning ;-) -- dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 ++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
At 08:42 PM 5/12/2006, Eric Schuele wrote: You say tcpwrappers are compiled into ftpd? Are you sure? How can I "enable" or otherwise use them? If I add things to hosts.allow they seem to have no influence. This would solve my problem as I would not need inetd. My Bad. It seems it does not. It's running from inetd on the box I regularly edit hosts.allow on. The performance benefit inetd once offered -- not having a lot of background process for seldom used services -- is not a big deal today. But security-wise, spawning other programs that would just be directly listening on a port otherwise doesn't seem terribly insecure. Could it even be argued beneficial? -- you have a single, simple piece of code accepting the initial connections, instead of 20 processes doing the same thing with 20 different pieces of code, any one of which could have an exploit. If an exploit was conceived that could take advantage lots of programs listening on any old socket, it seems the vulnerability would be lessened, or at least easier to fix. I don't claim to be an expert security guy or OS programmer, but so far I haven't heard an explanation besides "don't do that". -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Inetd still is there as a legacy part of UNIX. This was the old way of starting services on demand in the old days BEFORE wans, the internet, etc. Remember UNIX started as networked on LANS, with LANS interconnected using UUCP. Ah those good old days before SPAM, www, and viruses. As more security problems have been found, changes have been made to the OS, like the move away from inetd. This also forces that only required services are running, not a slew of services running "on demand" like finger, ftp, tftp, etc through inetd. -Derek At 07:44 PM 5/12/2006, Eric Schuele wrote: Derek Ragona wrote: Yes it is still true today. The default system now has inetd running nothing. And the ports now install rc scripts for these reasons. Not arguing here... everything I've found on the web says something similar. But why do we have inetd? I assume it solved a problem in the past, that no longer exists. Not to mention its spotted security history. For network daemons, when they are running in a listen mode there is no real overhead on the system. -Derek At 03:41 PM 5/12/2006, [EMAIL PROTECTED] wrote: At 04:25 PM 5/12/2006, you wrote: inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. Is that still really true? Waaayyy back when, inetd would have all kinds of dangerous services enabled by default (allowing DOS stuff like spewing "chargen" into "discard"). But that was a configuration issue, and issues with the services it launched; not with inetd itself. The authentication is still done within ftpd. You're just saving the tiny overhead of running it all the time for occasional use. And inetd does allow the tcpwrappers for anything it launches (obviously the wrappers are compiled into many other things now, ftpd included.) -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- Regards, Eric -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Simply reinstall what ever ported apps you are using and look for a sample startup script in /usr/local/etc/rc.d, or look in /etc/defaults/rc.conf for the settings to override in /etc/rc.conf to run any standard system services at boot. You can search the old security lists or look in SANS archives on the actual exploits about inetd. -Derek At 07:46 PM 5/12/2006, Eric Schuele wrote: Daniel Bye wrote: On Fri, May 12, 2006 at 01:07:22PM -0500, Eric Schuele wrote: Although I am curious about ftpd and tcpwrappers I am also interested in whether or not running these daemons under inetd is preferred or not. If so why? If not, why? Certainly for anything that has a reasonably expensive start up, such as sshd, you will probably want to run it as a standalone daemon, because it's easier on the system to start it up only once and then fork a new child for each client connection. On the other hand, using inetd will allow you to have only one 'superserver' running, which can spawn the appropriate daemon as required. This means that you won't have idle daemons lying around, as they are cleaned up once the session ends. One obvious shortcoming, as you point out, is that the stock ftpd doesn't seem to understand how to consult /etc/hosts.allow, so if you have one configured already, then you might want to use inetd to control ftpd. There may be alternative ftpd servers in the ports that do know how to use tcpwrappers, but I've never used any others so don't know. So, I suppose the real answer to your question is that you should use inetd if you need to use one of the features that it provides, such as tcpwrappers. I can't think of any reason to not use inetd, and I haven't heard any reasonable arguments suggesting it's particularly bad for your health. YMMV, etc. Thanks for the response. I'm of a similar opinion. For this particular application (my laptop and occasional use, plus its usually ipfw'd away from the world) I think its fine... and unless I find another solution, I'll probably run ftpd under inetd, and sshd standalone. Dan -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Daniel Bye wrote: On Fri, May 12, 2006 at 01:07:22PM -0500, Eric Schuele wrote: Although I am curious about ftpd and tcpwrappers I am also interested in whether or not running these daemons under inetd is preferred or not. If so why? If not, why? Certainly for anything that has a reasonably expensive start up, such as sshd, you will probably want to run it as a standalone daemon, because it's easier on the system to start it up only once and then fork a new child for each client connection. On the other hand, using inetd will allow you to have only one 'superserver' running, which can spawn the appropriate daemon as required. This means that you won't have idle daemons lying around, as they are cleaned up once the session ends. One obvious shortcoming, as you point out, is that the stock ftpd doesn't seem to understand how to consult /etc/hosts.allow, so if you have one configured already, then you might want to use inetd to control ftpd. There may be alternative ftpd servers in the ports that do know how to use tcpwrappers, but I've never used any others so don't know. So, I suppose the real answer to your question is that you should use inetd if you need to use one of the features that it provides, such as tcpwrappers. I can't think of any reason to not use inetd, and I haven't heard any reasonable arguments suggesting it's particularly bad for your health. YMMV, etc. Thanks for the response. I'm of a similar opinion. For this particular application (my laptop and occasional use, plus its usually ipfw'd away from the world) I think its fine... and unless I find another solution, I'll probably run ftpd under inetd, and sshd standalone. Dan -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Derek Ragona wrote: Yes it is still true today. The default system now has inetd running nothing. And the ports now install rc scripts for these reasons. Not arguing here... everything I've found on the web says something similar. But why do we have inetd? I assume it solved a problem in the past, that no longer exists. Not to mention its spotted security history. For network daemons, when they are running in a listen mode there is no real overhead on the system. -Derek At 03:41 PM 5/12/2006, [EMAIL PROTECTED] wrote: At 04:25 PM 5/12/2006, you wrote: inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. Is that still really true? Waaayyy back when, inetd would have all kinds of dangerous services enabled by default (allowing DOS stuff like spewing "chargen" into "discard"). But that was a configuration issue, and issues with the services it launched; not with inetd itself. The authentication is still done within ftpd. You're just saving the tiny overhead of running it all the time for occasional use. And inetd does allow the tcpwrappers for anything it launches (obviously the wrappers are compiled into many other things now, ftpd included.) -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
[EMAIL PROTECTED] wrote: At 04:25 PM 5/12/2006, you wrote: inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. Is that still really true? Waaayyy back when, inetd would have all kinds of dangerous services enabled by default (allowing DOS stuff like spewing "chargen" into "discard"). But that was a configuration issue, and issues with the services it launched; not with inetd itself. The authentication is still done within ftpd. You're just saving the tiny overhead of running it all the time for occasional use. And inetd does allow the tcpwrappers for anything it launches (obviously the wrappers are compiled into many other things now, ftpd included.) You say tcpwrappers are compiled into ftpd? Are you sure? How can I "enable" or otherwise use them? If I add things to hosts.allow they seem to have no influence. This would solve my problem as I would not need inetd. -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Yes it is still true today. The default system now has inetd running nothing. And the ports now install rc scripts for these reasons. For network daemons, when they are running in a listen mode there is no real overhead on the system. -Derek At 03:41 PM 5/12/2006, [EMAIL PROTECTED] wrote: At 04:25 PM 5/12/2006, you wrote: inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. Is that still really true? Waaayyy back when, inetd would have all kinds of dangerous services enabled by default (allowing DOS stuff like spewing "chargen" into "discard"). But that was a configuration issue, and issues with the services it launched; not with inetd itself. The authentication is still done within ftpd. You're just saving the tiny overhead of running it all the time for occasional use. And inetd does allow the tcpwrappers for anything it launches (obviously the wrappers are compiled into many other things now, ftpd included.) -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
At 04:25 PM 5/12/2006, you wrote: inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. Is that still really true? Waaayyy back when, inetd would have all kinds of dangerous services enabled by default (allowing DOS stuff like spewing "chargen" into "discard"). But that was a configuration issue, and issues with the services it launched; not with inetd itself. The authentication is still done within ftpd. You're just saving the tiny overhead of running it all the time for occasional use. And inetd does allow the tcpwrappers for anything it launches (obviously the wrappers are compiled into many other things now, ftpd included.) -Wayne ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
On Fri, May 12, 2006 at 01:07:22PM -0500, Eric Schuele wrote: > > Although I am curious about ftpd and tcpwrappers I am also > interested in whether or not running these daemons under inetd is > preferred or not. If so why? If not, why? Certainly for anything that has a reasonably expensive start up, such as sshd, you will probably want to run it as a standalone daemon, because it's easier on the system to start it up only once and then fork a new child for each client connection. On the other hand, using inetd will allow you to have only one 'superserver' running, which can spawn the appropriate daemon as required. This means that you won't have idle daemons lying around, as they are cleaned up once the session ends. One obvious shortcoming, as you point out, is that the stock ftpd doesn't seem to understand how to consult /etc/hosts.allow, so if you have one configured already, then you might want to use inetd to control ftpd. There may be alternative ftpd servers in the ports that do know how to use tcpwrappers, but I've never used any others so don't know. So, I suppose the real answer to your question is that you should use inetd if you need to use one of the features that it provides, such as tcpwrappers. I can't think of any reason to not use inetd, and I haven't heard any reasonable arguments suggesting it's particularly bad for your health. YMMV, etc. Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpIdjEiJGnOc.pgp Description: PGP signature
Re: Pros and Cons of running under inetd....
inetd running is discouraged. Instead run the daemons on boot using rc scripts. If you look back in the history, inetd running is a security risk, and was discouraged in the 5.X releases. -Derek At 01:07 PM 5/12/2006, Eric Schuele wrote: Daniel Bye wrote: On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote: Hello, I run sshd and ftpd on my laptop. I generally start them via: sshd_enable="YES" ftpd_enable="YES" in my rc.conf. What are the pros/cons of running them via inetd? This is in no way a high load or production machine. Just my laptop that I need access to from time to time. The one pro I have noticed (which is rather important to me) is that ftpd does not heed hosts.allow directives when NOT run via inetd. Am I correct in this? I prefer to use tcpwrappers to further protect my sshd and ftpd. I generally keep ftpd firewalled off from the world and when someone needs to (anonymous) ftp something to me I open the firewall. But it would be nice to allow only their IP using hosts.allow (as I just enable/disable a generic ruleset in ipfw). So should I forget to disable the ruleset in ipfw then I am not open all day till I reboot. Thanks for the response. When sshd starts, it needs to generate keys and set up its cryptographic environment, so you will notice a bit of lag before getting a login prompt. This may or may not mean anything to you, depending on how beefy your laptop is. Check man sshd for the -i option. sshd should, by default, be compiled with tcpwrappers support anyway. You can test whether this is the case by putting something like this at the top of your hosts.allow: sshd : 127.0.0.1 : deny and then try connecting on the loopback interface. If you see `refused connect from localhost' in your /var/log/auth.log, then your sshd uses hosts.allow and running it from inetd won't give you any benefit. Actually I have sshd under control. It works fine, and yes uses tcpwrappers by default. I don't know about ftpd, as I don't use it. ftpd however does not seem to use them. Dan Although I am curious about ftpd and tcpwrappers I am also interested in whether or not running these daemons under inetd is preferred or not. If so why? If not, why? -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
Daniel Bye wrote: On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote: Hello, I run sshd and ftpd on my laptop. I generally start them via: sshd_enable="YES" ftpd_enable="YES" in my rc.conf. What are the pros/cons of running them via inetd? This is in no way a high load or production machine. Just my laptop that I need access to from time to time. The one pro I have noticed (which is rather important to me) is that ftpd does not heed hosts.allow directives when NOT run via inetd. Am I correct in this? I prefer to use tcpwrappers to further protect my sshd and ftpd. I generally keep ftpd firewalled off from the world and when someone needs to (anonymous) ftp something to me I open the firewall. But it would be nice to allow only their IP using hosts.allow (as I just enable/disable a generic ruleset in ipfw). So should I forget to disable the ruleset in ipfw then I am not open all day till I reboot. Thanks for the response. When sshd starts, it needs to generate keys and set up its cryptographic environment, so you will notice a bit of lag before getting a login prompt. This may or may not mean anything to you, depending on how beefy your laptop is. Check man sshd for the -i option. sshd should, by default, be compiled with tcpwrappers support anyway. You can test whether this is the case by putting something like this at the top of your hosts.allow: sshd : 127.0.0.1 : deny and then try connecting on the loopback interface. If you see `refused connect from localhost' in your /var/log/auth.log, then your sshd uses hosts.allow and running it from inetd won't give you any benefit. Actually I have sshd under control. It works fine, and yes uses tcpwrappers by default. I don't know about ftpd, as I don't use it. ftpd however does not seem to use them. Dan Although I am curious about ftpd and tcpwrappers I am also interested in whether or not running these daemons under inetd is preferred or not. If so why? If not, why? -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Pros and Cons of running under inetd....
On Fri, May 12, 2006 at 11:35:41AM -0500, Eric Schuele wrote: > Hello, > > I run sshd and ftpd on my laptop. I generally start them via: > sshd_enable="YES" > ftpd_enable="YES" > in my rc.conf. > > What are the pros/cons of running them via inetd? > > This is in no way a high load or production machine. Just my laptop > that I need access to from time to time. > > The one pro I have noticed (which is rather important to me) is that > ftpd does not heed hosts.allow directives when NOT run via inetd. Am I > correct in this? I prefer to use tcpwrappers to further protect my sshd > and ftpd. I generally keep ftpd firewalled off from the world and when > someone needs to (anonymous) ftp something to me I open the firewall. > But it would be nice to allow only their IP using hosts.allow (as I just > enable/disable a generic ruleset in ipfw). So should I forget to > disable the ruleset in ipfw then I am not open all day till I reboot. When sshd starts, it needs to generate keys and set up its cryptographic environment, so you will notice a bit of lag before getting a login prompt. This may or may not mean anything to you, depending on how beefy your laptop is. Check man sshd for the -i option. sshd should, by default, be compiled with tcpwrappers support anyway. You can test whether this is the case by putting something like this at the top of your hosts.allow: sshd : 127.0.0.1 : deny and then try connecting on the loopback interface. If you see `refused connect from localhost' in your /var/log/auth.log, then your sshd uses hosts.allow and running it from inetd won't give you any benefit. I don't know about ftpd, as I don't use it. Dan -- Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp2yiLidkKmK.pgp Description: PGP signature