3

What is the general rule for which daemons should be started up through inetd? Currently, on my server, sshd, apache and sendmail are set up to run all the time, where simple *NIX services are set up to be started by inetd.

I'm the only one who uses ssh on my computer, and break-in attempts aren't a problem because I have it running on a non-standard port, and my HTTP server gets maybe 5 hits a day that aren't GoogleBot.

My question is, what are the benefits vs. the performance hits associated with running a complex daemon like sshd or apache through a superserver daemon, and what, if any, successes or failures have you had running your own daemons in this manner?

amphetamachine
  • 832
  • 1
  • 8
  • 14
  • 2
    it should be pointed out, that while not an answer for your question, running `ssh` on a non-standard port does *not* assure any sort of security. in the IT world, this is called 'security through obscurity' and, in this case, is highly ineffective, because most bots will port-scan you in addition to brute forcing ssh. your best bet is to lock down ssh, make sure your user account is the only one with remote access, and use `public key authentication`. – cpbills May 29 '10 at 06:38
  • @cpbills - Did that already. Also, `PermitRootLogin no`. – amphetamachine Jun 13 '10 at 15:37
  • Then what does it matter if people attempt to login? They won't get in. Unless it is so many that you're dos'd. – cpbills Jun 13 '10 at 18:43

2 Answers2

4

The situation is going to be on a per case circumstance. Generally speaking, unless you have a specific reason to run within a super server, it is best not to. Running within a super server adds additional overhead with high load, as every connection spawns a new process.

Apache is designed to be always running. It's threaded and intelligently manages system resources.

inetd and other super servers were originally better suited for daemons that did not have the ability to interact with sockets within their native code.

Warner
  • 23,440
  • 2
  • 57
  • 69
1

The complexity of the daemon is not really the issue. The frequency of use is. xinetd allows you to get increased logging, and depending on the configuration an extra layer of security. All of the daemons you mentioned can be and are run under a super server in some configurations.

If you rarely use the daemon consider running it under the super server. This will allow you to reduce the number of daemons running and the resulting overhead.

inetd and xinetd have some very simple services built in. These services should be disabled unless needed. Other services don't have a daemon interface, so must be run by a super server. Many services which have network daemon capabilities, have flags which tell them they are running under inetd.

You should consider startup overhead and configuration stability before running daemons under a super server. A heavy startup overhead is one reason to run a rarely used service as a daemon. The services you listed are usually relatively heavily used when installed, so are run as daemons.

Apache is optimized to run as a daemon. If it is used much it is best run as a deamon.

Mail servers generally fork a new server for each incoming call, which has low overhead on most OSs. If it isn't used as a mail hub or delivery from remote sites it shouldn't be listening on any address other than localhost. It doesn't need to do that unless you have programs running on the server which use TCP/IP to send email via localhost.

sshd has relatively low startup overhead, except for random data for encryption. It does require a fair bit of random data, which may not be readily available if run under a super server.

BillThor
  • 27,354
  • 3
  • 35
  • 69