Bret,
I was logging my DENY'ed incoming calls to auth. I noticed that my
external pop3 server always asked me for auth. I also noticed that many
(but not all) file downloads with both http and ftp protocol, when
started from NetScape, called my auth server. This normally gave me
about 30 seconds of delay before the downloading of pop3 mail or
http/ftp transfer of files began. I have so far never suffered from
being refused any service on the net because of DENY'ing auth calls.
I have later learnt that it might be smarter to REJECT calls to auth
than DENY'ing them. Should reduce number of retries and thereby shorten
any timeouts.
For the time being I'm ALLOW'ing the auth calls. Might go for REJECT
later on, though.
One advantage with running auth from tcp wrappers is of course that it's
somewhat protected(?). I mean, the standard setup for port sentry is to
add any port scanning IP's to the tcp wrappers hosts.deny file.
I guess unless you're having a very high volume of calls for auth, the
performance penalty is not high enough to get worried about.
Best regards
Gustav
Bret Hughes wrote:
>
> I too have been wondering about this.
>
> Seems like it would be a tad faster to have it running standalone. It
> will also use some resources all the time as opposed to inetd starting
> it, sending it the query and letting it shut down. At least if my
> understanding of inetd is correct. I don't know what the frequency of
> calls to auth would have to be before the overhead of starting and
> stoping it becomes a greater load than having it running all the time.
>
> Is there any logging or other security features gained from using inetd
> with auth?
>
> Since I have been lurking I have been wondering which processes use
> auth? Surely not every connection sends an auth request, but I don't
> know in the real world even how often it is used. What would happen if
> it was not running?
>
> Bret
>
> Charles Galpin wrote:
> >
> > Thanks Gordon!
> >
> > Boy, right in front of my nose too. I knew it was going to be an easy
> > fix.
> >
> > However, two things.
> >
> > 1. Like Gustav, I would like to know which is better
> > 2. I did not have identd selected in ntsysv, and am quite sure I didn't
> > start it mayself. So how did it get started? I'm thinking linuxconf is
> > trying to do it. If this is true, then maybe the simplest route is to run
> > it standalone and remove from inetd.conf. Anyone?
> >
> > On Mon, 13 Mar 2000, Gordon Messmer wrote:
> >
> > > Charles Galpin wrote:
> > > > Mar 13 22:49:24 server inetd[10663]: auth/tcp: bind: Address already in
> > > > use
> > > > Mar 13 22:59:24 server inetd[10663]: auth/tcp: bind: Address already in
> > > > use
> > > >
> > > > I have named setup to run at boot time in ntsysv.
> > >
> > > hehehe... The "bind" in the syslog is referring to the bind() system
> > > call, not the BIND software :)
> > >
> > > You're getting the error because you're trying to run identd (auth
> > > service) as a standalone daemon _AND_ through inetd. Turn one of them
> > > off.
--
pgp = Pretty Good Privacy. To get my public pgp key, send an e-mail to:
[EMAIL PROTECTED]
Visit my web site at http://www.schaffter.com
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
