new user questions. (Before I back myself into a corner!)
kdk at daleco.biz
Wed Nov 24 02:41:25 UTC 2010
> Hi. Sorry ... <snip>
Hello, and welcome. And I made it a bit shorter ;-)
> I'd like to:-
> Have a ssh login via LAN available, I believe that's a standard feature,
> but I expressedly disabled that (well, told it not to implement it) when
> I orignaly installed the OS. Or have a VNC server running.
As someone mentioned:
in /etc/rc.conf. You can then either a] reboot, or b] issue the
following with root privileges:
> Have a small web server, again I've read that Apache can do a good job,
> but I don't want (nor need) all it's facilities, in particular I need to
> lock it down so no "Put's" can happen for a start! The web pages are
> simple flat form, text and static graphics, with a little client side
> scripting, purely to find the client's local date and time, to select the
> graphic to serve.
I believe Beech had some advice on this. It's probably pretty good :-)
> Have a FTP server, so I can automate some of the web page graphics
> updates, from other systems that generate the data, and can FTP files
> across the LAN, also of course for general web page maintenance needs.
The base system ftpd is run from inetd, a "super server" which can serve
several small protocols. Have a look at /etc/inetd.conf. The first "real" line:
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
Uncomment that (remove the 'hash'), and save it (you'll have to be root
again, of course).
See if inetd is running:
$ pgrep inetd
If you get a number(PID), it's running. Otherwise, you'll probably need
to enable it. Again, you need:
in /etc/rc.conf. Add the line and either a] reboot, or b] issue the
following with root privileges:
*IF* inetd was *already running*, all you should have to do is issue:
$ kill -HUP `pgrep inetd`
> It'd be nice to have a VPN endpoint, but not esential, as that is
> currently living on another W2k box. But in the long term perhaps. The
> only complication with that, is I need to be able to tunnel a UDP VoIP
> stream over/throug it. (I currently use Hamachi on Windows for that, it
> works well.) Also, the "other end" needs to live on a XP (or later)
I'll leave vpn to someone more knowledgeable in that area. AFAIK you'll
have to install a port; /usr/ports/security/openvpn is likely the canonical
program, but, as I say, seek other advice on that fo' shizzle ;-)
> I would preffer to
> have FTP login's that are in no way related to any system login users.
I can't help with that either; check the docs on Beech's suggestions,
> Lastly, I have everything so far (on the Win2k box) working well with
> highly non standard (high numbered) ports. Even thoug it's "exposed"
> (via port forwarding in the router) to the outside, there is next to no
> "noise", (script kiddies, chinese hackers etc) poking arround my back
> Of all the stuff I've read so far in the FreeBSD handbook, and a few
> other places, not one mention is made (that I can see so far) of how to
> set services for alternative port numbers?
That's generally in the configuration file for the server. This information
might be available in the manpage, if one exists.
$man sshd | col -bx > ~/sshd.txt
$ grep -c port ~/sshd.txt
So, there's at least 22 mentions of "port" in the sshd manpage.
As it turns out, there's a line in /etc/ssh/sshd_config that gives
it right away:
$ grep -i port /etc/ssh/sshd_config
# Disable legacy (protocol version 1) support in the server for new
So, remove the comment from the "Port 22" line, change the number
from the default 22 (222, perhaps, for memory's sake?) and either a]
reboot, or b] "kill -HUP `pgrep sshd`" (sounding REAL familiar now).
Incidentally, one might suggest that running on non-standard ports
is merely security by obscurity. In the case of sshd, at least, a
better solution might be to only allow key-based authentication; but,
as I said, that's just a suggestion. I have done such things myself
a time or two ... I kinda think I just delayed the inevitable in that
> Lastly, as I don't want to break the existing NTP server, I may find
> another PC of similar spec, to mess with, witn some sort of impunity.
Well, as I mention, often you can enable and start these additional
services from the base system with little or no interruption to extant
services at all (which, IMHO, is exactly as a Real Server should work,
take that, M$). But I suppose we'd certainly understand. You might
even just get a Live-CD distribution and dink around with that. AFAIK,
you could run ftpd, inetd, and sshd temporarily on those just to get
a feel for how to administer them.
Kevin D. Kinsey
More information about the freebsd-questions