Re: [suse-security] SuSE ssh Distro in US
"Aaron K. Poffenberger"
On a related note (security), two questions: 1) Do I need to have the ident daemon on port 113 running? That port is currently open on the external interface on my firewall.
No. None of the usual services depends on the ident daemon.
And 2) from within inetd.conf, can I set which interface(s) I want a particular service to bind to, or is it a service-by-service config (as I've found with many, e.g., afpd)?
AFAIK inetd always binds to all interfaces. Perhaps it's possible to use a wrapper which checks on which interface a connection is coming in -- never tried this. Service-by-service configs will only work for servers running in daemon mode. For inetd-controlled services inetd binds to the ports/interfaces, and inetd doesn't know about any service-specific configuration. Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert@informatik.uni-bremen.de - eilert@tzi.org - eilert@linuxfreak.com http://www.informatik.uni-bremen.de/~eilert/
On 17 Nov 1999, Eilert Brinkmann wrote:
And 2) from within inetd.conf, can I set which interface(s) I want a particular service to bind to, or is it a service-by-service config (as I've found with many, e.g., afpd)?
AFAIK inetd always binds to all interfaces. Perhaps it's possible to use a wrapper which checks on which interface a connection is coming in -- never tried this. Service-by-service configs will only work for servers running in daemon mode. For inetd-controlled services inetd binds to the ports/interfaces, and inetd doesn't know about any service-specific configuration.
What you say is correct. And the answer to the question actually is: use xinetd instead of or in addition to inetd. Xinetd offers superior configurability (e.g. the "interface" clause enables bind to a specific address) and is proven in the field. And SuSE Linux contains is. There is a slightly misleading comment in /etc/rc.config, however. It states that inetd and xinetd cannot be used together because they both provide the same service. Actually it should say "*if* they provide the same service". It is perfectly okay to have inetd bind to e.g. ftp and xinetd to telnet. Nevertheless, many people will stick to xinetd once they find out it exists and see that it has a richer functionality and nicer syntax than inetd.
Eilert
Volker -- Volker Wiegand Phone: +49 (0) 6196 / 50951-24 SuSE Rhein/Main AG Fax: +49 (0) 6196 / 40 96 07 Mergenthalerallee 45-47 Mobile: +49 (0) 179 / 292 66 76 D-65760 Eschborn E-Mail: Volker.Wiegand@suse.de ++ Only users lose drugs. Or was it the other way round? ++
"Aaron K. Poffenberger"
wrote: On a related note (security), two questions: 1) Do I need to have the ident daemon on port 113 running? That port is currently open on
Hi,
----- Original Message -----
From: Eilert Brinkmann
external interface on my firewall.
No. None of the usual services depends on the ident daemon.
This is not totally correct. I had port 113 disabled (&logged) a long time. I got denys during FTP transfers nethertheless FTP worked. But there are some FTP-Servers, which need the port open, else no connection will be made. leo
Do I need to have the ident daemon on port 113 running? That port is currently open on the external interface on my firewall.
No. None of the usual services depends on the ident daemon.
This is not totally correct. I had port 113 disabled (&logged) a long time. I got denys during FTP transfers nethertheless FTP worked. But there are some FTP-Servers, which need the port open, else no connection will be made.
I think the question also involved: If *yes*, how secure is it? (And: If *not secure*, is there a way to secure it?) Does anyone have information on that? Torsten Behle FCB/Wilkens Hamburg
On Wed, 17 Nov 1999, Torsten Behle wrote:
Do I need to have the ident daemon on port 113 running? That port is currently open on the external interface on my firewall.
No. None of the usual services depends on the ident daemon.
This is not totally correct. I had port 113 disabled (&logged) a long time. I got denys during FTP transfers nethertheless FTP worked. But there are some FTP-Servers, which need the port open, else no connection will be made.
I second that. The tcp-wrapper can also be configured to only accept connections from hosts running ident. In priciple you may have an interest yourself using ident because it makes it possible to find out which user on an specific machine is using a connection. In case of a breakin attempted from your machine it is possible to find the user account used to do it. The ident answer can of course be spoofed and you might be liable anyway for things going on on your machine... Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
On Wed, 17 Nov 1999, Torsten Behle wrote:
Do I need to have the ident daemon on port 113 running? That port is currently open on the external interface on my firewall.
No. None of the usual services depends on the ident daemon.
This is not totally correct. I had port 113 disabled (&logged) a long time. I got denys during FTP transfers nethertheless FTP worked. But there are some FTP-Servers, which need the port open, else no connection will be made.
ident requests are probably most common in Internet Relay Chat servers (many EFnet servers and channels require ident responses now), but I'd not think it a big stretch of imagination for ftp servers to require something like ident in order to defeat crap like bouncing.
I think the question also involved: If *yes*, how secure is it? (And: If *not secure*, is there a way to secure it?) Does anyone have information on that?
Secure? If you mean if its secure against remote intrusion, it is secure (at least, I haven't heard of any remote exploits against the identd daemon on any platform). The nature of the beast is more along the lines of the fingerd daemon, which a potential cracker might use to gather information about your system-- e.g., nmap has an ident information gathering switch (-I). Ultimately, identd is (I think) a daemon best run only on end-user/workstation boxes; in the interest of security, just about any server does not need identd running.
On Wed, Nov 17, 1999 at 07:41 +0100, Eilert Brinkmann wrote:
"Aaron K. Poffenberger"
wrote: On a related note (security), two questions: 1) Do I need to have the ident daemon on port 113 running? That port is currently open on the external interface on my firewall.
No. None of the usual services depends on the ident daemon.
Although there are some services out there which don't rely on it but nevertheless direct a question towards the ident port -- sendmail comes to mind. Make sure not just to DENY this service but to REJECT it when setting up a firewall. This will speed up the decision that there won't be an answer :> And once your ruleset is complete you won't want to log these packets, they usually show up whenever you run your mail queue to your uplink. virtually yours - Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (7)
-
Daniel L. Donahue
-
Eilert Brinkmann
-
Gerhard Sittig
-
Leopold Toetsch
-
Robert Casties
-
Torsten Behle
-
Volker Wiegand