Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: tcpserver

2003-02-25 02:24:30
Subject: RE: tcpserver
From: "Greg A. Woods" <woods AT weird DOT com>
To: Casey Shobe <cshobe AT secureworks DOT com>
Date: Tue, 25 Feb 2003 01:08:30 -0500 (EST) 
[ On Monday, February 24, 2003 at 19:36:46 (-0500), Casey Shobe wrote: ]
> Subject: RE: tcpserver
>
> Well, I'm using xinetd as a (hopefully) temporary solution.  The security
> issues are my primary concern for not wanting to use it.  I prefer to run
> everything as a standalone daemon if possible (i.e. sshd, httpd, xfs, etc.).
> xinetd was easy enough to get working though, and I've currently got Amanda
> working as a client on my server.

I don't know what kind of security you might be talking about, but for
most purposes running one master internet daemon to handle all incoming
service requests actually has a large number of fairly important
security related advantages.

> I also remember seeing a udpserver (based on tcpserver I think) months ago
> somewhere, but I'm not sure of it's maturity, and can't seem to find it now.

Maturity?  What's that got to do with it?  There are fundamental
conceptual problems with trying to do what TCP Wrappers does with a
datagram based server.  You have to change your whole way of thinking
about these things when you use connection-oriented services or even
pseudo-connection style UDP servers.  Maturity of fundamentally
mis-concieved ideas doesn't help any.  :-)

If you really want to secure amanda then make sure your border firewalls
all block traffic to all the ports where you run Amanda on.  You could
go one further by building an entirely separate and private subnet with
separate physical interfaces to all your important servers and run
Amanda only on that private network.  That's what I do for my clients.

> As mentioned, I've got a working setup now, but would be very interested in
> hearing any possible alternatives to *inetd.  The host system is linux.

I have a version of *BSD inetd that's been gone over with a fairly
fine-toothed comb and which may actually be portable enouch to build and
work on linux....

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods AT ieee DOT org>;           <woods AT 
robohack DOT ca>
Planix, Inc. <woods AT planix DOT com>; VE3TCP; Secrets of the Weird <woods AT 
weird DOT com>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Binding amanda to specific interface, Greg A. Woods
Next by Date:  unsubscribe, Miquel Rubio
Previous by Thread:  RE: tcpserver, Casey Shobe
Next by Thread:  rait attempt, tobias . bluhm
Indexes:  [Date] [Thread] [Top] [All Lists]