RE: tcpserver
[ On Monday, February 24, 2003 at 19:36:46 (-0500), Casey Shobe wrote: ] > Subject: RE: tcpserver > > Well, I'm using xinetd as a (hopefully) temporary solution. The security > issues are my primary concern for not wanting to use it. I prefer to run > everything as a standalone daemon if possible (i.e. sshd, httpd, xfs, etc.). > xinetd was easy enough to get working though, and I've currently got Amanda > working as a client on my server. I don't know what kind of security you might be talking about, but for most purposes running one master internet daemon to handle all incoming service requests actually has a large number of fairly important security related advantages. > I also remember seeing a udpserver (based on tcpserver I think) months ago > somewhere, but I'm not sure of it's maturity, and can't seem to find it now. Maturity? What's that got to do with it? There are fundamental conceptual problems with trying to do what TCP Wrappers does with a datagram based server. You have to change your whole way of thinking about these things when you use connection-oriented services or even pseudo-connection style UDP servers. Maturity of fundamentally mis-concieved ideas doesn't help any. :-) If you really want to secure amanda then make sure your border firewalls all block traffic to all the ports where you run Amanda on. You could go one further by building an entirely separate and private subnet with separate physical interfaces to all your important servers and run Amanda only on that private network. That's what I do for my clients. > As mentioned, I've got a working setup now, but would be very interested in > hearing any possible alternatives to *inetd. The host system is linux. I have a version of *BSD inetd that's been gone over with a fairly fine-toothed comb and which may actually be portable enouch to build and work on linux -- Greg A. Woods +1 416 218-0098;<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird <[EMAIL PROTECTED]>
RE: tcpserver
Well, I'm using xinetd as a (hopefully) temporary solution. The security issues are my primary concern for not wanting to use it. I prefer to run everything as a standalone daemon if possible (i.e. sshd, httpd, xfs, etc.). xinetd was easy enough to get working though, and I've currently got Amanda working as a client on my server. I knew that Amanda used UDP, so that's why I wasn't sure about the tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) solution... I also remember seeing a udpserver (based on tcpserver I think) months ago somewhere, but I'm not sure of it's maturity, and can't seem to find it now. As mentioned, I've got a working setup now, but would be very interested in hearing any possible alternatives to *inetd. The host system is linux. Thanks! -- Casey Allen Shobe / Software Developer & Linux Administrator SecureWorks, Inc. / 404.327.6339 x169 / Fax: 404.728.0144 [EMAIL PROTECTED] / http://www.secureworks.net "Mathematics are a medium mankind created when trying to map existance." -- Valdimar Björn Ásgeirsson > -Original Message- > From: Greg A. Woods [mailto:[EMAIL PROTECTED] > Sent: 24. febrúar 2003 22:51 > To: Joshua Baker-LePain > Cc: Casey Shobe; [EMAIL PROTECTED] > Subject: Re: tcpserver > > > [ On Monday, February 24, 2003 at 12:37:47 (-0500), Joshua > Baker-LePain wrote: ] > > Subject: Re: tcpserver > > > > On Mon, 24 Feb 2003 at 11:50am, Casey Shobe wrote > > > > > Is there any way to make amanda work in standalone mode > or with tcpserver? > > > I really do not want to have to install inetd... > > > > > xinetd works quite well > > Perhaps for some folks, but certianly not for all! > > Note also that for all intents and proposes xinetd is an inetd. > > > and is much more secure than inetd. > > I seriously doubt that. In fact I believe there's ample proof to the > contrary with several security advisories against xinetd and none that > I'm aware of against at least the *BSD inetds. > > Also note that most (all?) of the *BSD inetds include integrated hooks > to TCP Wrappers. > > Finally note that Amanda doesn't just use TCP -- it also uses UDP and > you really can't use libwrap effectively on most UDP services. > > -- > > Greg A. Woods > > +1 416 218-0098;<[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird > <[EMAIL PROTECTED]> >
Re: tcpserver
[ On Monday, February 24, 2003 at 12:37:47 (-0500), Joshua Baker-LePain wrote: ] > Subject: Re: tcpserver > > On Mon, 24 Feb 2003 at 11:50am, Casey Shobe wrote > > > Is there any way to make amanda work in standalone mode or with tcpserver? > > I really do not want to have to install inetd... > > > xinetd works quite well Perhaps for some folks, but certianly not for all! Note also that for all intents and proposes xinetd is an inetd. > and is much more secure than inetd. I seriously doubt that. In fact I believe there's ample proof to the contrary with several security advisories against xinetd and none that I'm aware of against at least the *BSD inetds. Also note that most (all?) of the *BSD inetds include integrated hooks to TCP Wrappers. Finally note that Amanda doesn't just use TCP -- it also uses UDP and you really can't use libwrap effectively on most UDP services. -- Greg A. Woods +1 416 218-0098;<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird <[EMAIL PROTECTED]>
Re: tcpserver
On Mon, 24 Feb 2003 at 11:50am, Casey Shobe wrote > Is there any way to make amanda work in standalone mode or with tcpserver? > I really do not want to have to install inetd... > xinetd works quite well, and is much more secure than inetd. And with ipchains (or your firewall of choice) able to only allow access to/from amanda clients... ISTR a dicussion of tcpserver in the archives, but I don't recall the resolution. -- Joshua Baker-LePain Department of Biomedical Engineering Duke University