On Mon, Jul 30, 2001 at 02:00:43PM -0500, Dimitri Maziuk wrote: > * Kalle Hasselström (kalle@treskal.com) spake thusly: > ... > > Two more questions popped up, regarding inetd. bsd-ftpd is started by > > inted on incoming calls. How can I > > > > a) Temporarily disable ftp? I thought it would be a good idea to do > > this when it's not being used, to be on the safe side. I won't be > > using it much at all, not even once a week. > > IIRC xinetd allows you to set date/time based access controls. > You could do more with a wrapper around in.ftpd, if you can > write a wrapper like that. You could go as far as write a wrapper > that needs a specific packet -- if it receives that, it spawns > ftpd, otherwise it drops the connection ("knock first", often used > by trojans). Or you could run ftpd standalone, ssh to the box and > do "/etc/init.d/ftpd start" before ftp'ing. > Good idea! The following does what I want: [contents of /usr/local/sbin/in.ftpd] ------ #!/bin/sh # Run the real in.ftpd, but only if the file /etc/allowftp exists. if [ -e /etc/allowftp ]; then /usr/sbin/in.ftpd $* fi ------ It's an on/off switch that's only reachable from the inside. > > b) Change the port? The default port for ftp is 21, but I'd like it to > > use 12345 or something instead. This is just to confuse people, > > especially my ISP who with a rather sweeping statement disallows > > "servers". They just want to keep the traffic volume down, and I won't > > be generating overly much traffic, but nevertheless I thought it might > > be prudent to assume that they check for requests on ports 21 and 80. > > Would > "12345 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd -q" > work? Also, you can tell standalone server what port to listen to, > e.g. "Port 12345" for ProFTPD. > Works like a charm (note that it's been modified to call the wrapper script instead as well): [slices from /etc/inetd.conf] ------ #ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd -q 12345 stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/in.ftpd -q ------ Thanks! -- Kalle Hasselström, kalle@treskal.com
Attachment:
pgpT2_S9IT6GE.pgp
Description: PGP signature