| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Reviewed by: mdodd, peter
Notes:
svn path=/head/; revision=85298
|
|
|
|
| |
Notes:
svn path=/head/; revision=84767
|
|
|
|
|
|
|
|
| |
Requested by: "William Wong" <willwong@samurai.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=84400
|
|
|
|
|
|
|
|
|
| |
and correct the path to /usr/local as an example.
Submitted by: ru
Notes:
svn path=/head/; revision=84265
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
Notes:
svn path=/head/; revision=81020
|
|
|
|
|
|
|
|
|
| |
out of sync. A similar change was made by itojun on the OpenBSD tree
a few weeks ago. This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
Notes:
svn path=/head/; revision=75017
|
|
|
|
|
|
|
| |
remote access on default installations.
Notes:
svn path=/head/; revision=66621
|
|
|
|
|
|
|
|
|
| |
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
Notes:
svn path=/head/; revision=66568
|
|
|
|
|
|
|
| |
to more closely resembles those in the IPv4 sction.
Notes:
svn path=/head/; revision=58574
|
|
|
|
|
|
|
| |
Submitted by: Robert Muir <rmuir@looksharp.net>
Notes:
svn path=/head/; revision=57773
|
|
|
|
|
|
|
|
|
|
|
| |
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.
Approved by: jkh
Suggested by: peter
Notes:
svn path=/head/; revision=57537
|
|
|
|
|
|
|
|
| |
no longer the correct way to have qmail handle incoming qmail smtp
connections. Also provide a url to the correct method.
Notes:
svn path=/head/; revision=55779
|
|
|
|
|
|
|
|
|
| |
about the --allow-root switch.
PR: 14463
Notes:
svn path=/head/; revision=55115
|
|
|
|
| |
Notes:
svn path=/head/; revision=50472
|
|
|
|
| |
Notes:
svn path=/head/; revision=49059
|
|
|
|
|
|
|
|
|
|
|
|
| |
example of their usage in the sample config. Merge the two examples
for the green internal auth service.
This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
Notes:
svn path=/head/; revision=49034
|
|
|
|
|
|
|
|
|
| |
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
Notes:
svn path=/head/; revision=48846
|
|
|
|
|
|
|
|
|
| |
configuration file.
Requested by: green
Notes:
svn path=/head/; revision=48845
|
|
|
|
|
|
|
|
|
| |
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
Notes:
svn path=/head/; revision=48816
|
|
|
|
|
|
|
| |
runned as root again, not kmem:kmem
Notes:
svn path=/head/; revision=48815
|
|
|
|
|
|
|
|
|
| |
mailbox contents. comsat instead simply prints that new mail is
available. Add appropriate comment to inetd.conf but leave comsat in
sandbox.
Notes:
svn path=/head/; revision=41444
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
the (commented out) ident from the kmem sandbox.
Note that it is necessary to give each group access it's own uid to
prevent programs running under a single uid from being able to gdb
or otherwise mess with other programs (with different group perms) running
under the same uid.
Notes:
svn path=/head/; revision=41441
|
|
|
|
| |
Notes:
svn path=/head/; revision=40911
|
|
|
|
|
|
|
|
| |
runs only 3 simultaneous fingerd processes and
limit the connections-per-ip-per-minute to 10.
Notes:
svn path=/head/; revision=39825
|
|
|
|
| |
Notes:
svn path=/head/; revision=38738
|
|
|
|
| |
Notes:
svn path=/head/; revision=38337
|
|
|
|
| |
Notes:
svn path=/head/; revision=37741
|
|
|
|
|
|
|
| |
the imap4 entry.
Notes:
svn path=/head/; revision=29951
|
|
|
|
| |
Notes:
svn path=/head/; revision=21613
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if kerberos is installed. So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers. They do not know how to interpret messages such as
"rlogind: unknown option -k".
I believe Garrett also mentioned this.
Unfortunately, this adds an extra step to bringing up kerberos.
It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
Notes:
svn path=/head/; revision=19607
|
|
|
|
|
|
|
|
|
| |
Turn OFF the "small servers" by default. FreeBSD systems should only
serve actively used programs. Jewels like chargen and echo are too
useful in attack scenarios.
Notes:
svn path=/head/; revision=18639
|
|
|
|
| |
Notes:
svn path=/head/; revision=18378
|
|
|
|
|
|
|
|
|
|
| |
"hand", changed /etc/crontab to call /usr/sbin/newsyslog every hour
(the entry was there before - but we haven't had any newsyslog until
today :-) and changed /etc/inetd.conf to also contain (commentet out)
entries for rpc.rquotad and rpc.sprayd (taken from NetBSD)
Notes:
svn path=/head/; revision=13249
|
|
|
|
|
|
|
|
| |
people don't compromise their system by blindly un-commenting the
entry.
Notes:
svn path=/head/; revision=12995
|
|
|
|
|
|
|
|
|
|
| |
Add rkinit at 2108/tcp.
services:
Add rkinitd.
Notes:
svn path=/head/; revision=10808
|
|
|
|
|
|
|
|
| |
Submitted by:
Obtained from:
Notes:
svn path=/head/; revision=9775
|
|
|
|
| |
Notes:
svn path=/head/; revision=9742
|
|
|
|
| |
Notes:
svn path=/head/; revision=7671
|
|
|
|
| |
Notes:
svn path=/head/; revision=5183
|
|
|
|
| |
Notes:
svn path=/head/; revision=5170
|
|
|
|
|
|
|
| |
instead of /usr/local/etc/popper. The 2.0 installation installs it there.
Notes:
svn path=/head/; revision=4652
|
|
|
|
| |
Notes:
svn path=/head/; revision=3196
|
|
|
|
| |
Notes:
svn path=/head/; revision=3190
|
|
|
|
| |
Notes:
svn path=/head/; revision=3169
|
|
|
|
|
|
|
|
|
| |
Deleted commented-out line which would start mountd; that's not
the right pplace to do it (don't confuse the users).
Should probablyhave uncommented rpc.rstatd, but didn't.
Notes:
svn path=/head/; revision=1715
|
|
|
|
|
|
|
| |
Comment out walld/rusersd/rstatd, may be too verbose
Notes:
svn path=/head/; revision=1662
|
|
|
|
|
|
|
|
| |
Uncomment rstatd/rusersd/rwalld all three worked
mountd still commented out, I remember some problem with it
Notes:
svn path=/head/; revision=1645
|
|
|
|
|
|
|
| |
Added an example entry for the pop3 popper into inetd.conf as a comment.
Notes:
svn path=/head/; revision=831
|
|
|
|
| |
Notes:
svn path=/head/; revision=645
|
|
|
|
|
|
|
|
|
|
| |
running portmapper. These are site specific functionality and should only
be enabled for sites that want them, not by default.
These services REQUIRE portmapper to be running
Notes:
svn path=/head/; revision=591
|