new user questions. (Before I back myself into a corner!)

Kevin Kinsey kdk at daleco.biz
Wed Nov 24 02:41:25 UTC 2010 

Dave wrote:
> 
> Hi. Sorry ... <snip>

Hello, and welcome.  And I made it a bit shorter ;-)

  > I'd like to:-
> Have a ssh login via LAN available, I believe that's a standard feature, 
> but I expressedly disabled that (well, told it not to implement it) when 
> I orignaly installed the OS.   Or have a VNC server running.

As someone mentioned:
    sshd_enable="YES"
in /etc/rc.conf.  You can then either a] reboot, or b] issue the
following with root privileges:
    /etc/rc.d/sshd start

> Have a small web server, again I've read that Apache can do a good job, 
> but I don't want (nor need) all it's facilities, in particular I need to 
> lock it down so no "Put's" can happen for a start!  The web pages are 
> simple flat form, text and static graphics, with a little client side 
> scripting, purely to find the client's local date and time, to select the 
> graphic to serve.

I believe Beech had some advice on this.  It's probably pretty good :-)

> Have a FTP server, so I can automate some of the web page graphics 
> updates, from other systems that generate the data, and can FTP files 
> across the LAN, also of course for general web page maintenance needs.

The base system ftpd is run from inetd, a "super server" which can serve
several small protocols.  Have a look at /etc/inetd.conf.  The first "real" line:

#ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l

    Uncomment that (remove the 'hash'), and save it (you'll have to be root
again, of course).

See if inetd is running:

$ pgrep inetd

If you get a number(PID), it's running.  Otherwise, you'll probably need
to enable it.  Again, you need:
   inetd_enable="YES"
in /etc/rc.conf.  Add the line and either a] reboot, or b] issue the
following with root privileges:
    /etc/rc.d/inetd start

Sound familiar?

*IF* inetd was *already running*, all you should have to do is issue:

$ kill -HUP `pgrep inetd`

> It'd be nice to have a  VPN endpoint, but not esential, as that is 
> currently living on another W2k box.  But in the long term perhaps.  The 
> only complication with that, is I need to be able to tunnel a UDP VoIP 
> stream over/throug it.  (I currently use Hamachi on Windows for that, it 
> works well.)  Also, the "other end" needs to live on a XP (or later) 
> Laptop.

I'll leave vpn to someone more knowledgeable in that area.  AFAIK you'll
have to install a port; /usr/ports/security/openvpn is likely the canonical
program, but, as I say, seek other advice on that fo' shizzle ;-)

> I would preffer to 
> have FTP login's that are in no way related to any system login users.

I can't help with that either; check the docs on Beech's suggestions,
perhaps.

> Lastly, I have everything so far (on the Win2k box) working well with 
> highly non standard (high numbered) ports.   Even thoug it's "exposed" 
> (via port forwarding in the router) to the outside, there is next to no 
> "noise", (script kiddies, chinese hackers etc) poking arround my back 
> passage.
> 
> Of all the stuff I've read so far in the FreeBSD handbook, and a few 
> other places, not one mention is made (that I can see so far) of how to 
> set services for alternative port numbers?

That's generally in the configuration file for the server.  This information
might be available in the manpage, if one exists.

For example:

$man sshd | col -bx > ~/sshd.txt
$ grep -c port ~/sshd.txt
22

So, there's at least 22 mentions of "port" in the sshd manpage.
As it turns out, there's a line in /etc/ssh/sshd_config that gives
it right away:

$ grep -i port /etc/ssh/sshd_config
#Port 22
# Disable legacy (protocol version 1) support in the server for new
#GatewayPorts no

So, remove the comment from the "Port 22" line, change the number
from the default 22 (222, perhaps, for memory's sake?) and either a]
reboot, or b] "kill -HUP `pgrep sshd`"   (sounding REAL familiar now).

Incidentally, one might suggest that running on non-standard ports
is merely security by obscurity.  In the case of sshd, at least, a
better solution might be to only allow key-based authentication; but,
as I said, that's just a suggestion.  I have done such things myself
a time or two ... I kinda think I just delayed the inevitable in that
case, though.

> Lastly, as I don't want to break the existing NTP server, I may find 
> another PC of similar spec, to mess with, witn some sort of impunity.

Well, as I mention, often you can enable and start these additional
services from the base system with little or no interruption to extant
services at all (which, IMHO, is exactly as a Real Server should work,
take that, M$).  But I suppose we'd certainly understand.  You might
even just get a Live-CD distribution and dink around with that.  AFAIK,
you could run ftpd, inetd, and sshd temporarily on those just to get
a feel for how to administer them.

My $0.02,

Kevin D. Kinsey

More information about the freebsd-questions mailing list