Re: 11 years of inetd default insecurity?
On September 6, 2003, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd (FreeBSD,
> SuSE, Red Hat, etc.).
^^^^ ^^^ ^^^
On September 8, 2003, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:
> IMHO reasonable behavior is limiting a number of requests accepted per
> second without disabling service. But this code became a kind of saint
> cow. Only hope is young monsters like xinetd will rid this dinosaur off
> as a result of evolution.
Recent versions of Red Hat and SuSE default to installing xinetd, not
inetd. xinetd offers this commandline option:
-limit proc_limit
This option places a limit on the number of concurrently running
processes that can be started by xinetd. Its purpose is to pre-
vent process table overflows.
and the following xinetd.conf options:
instances determines the number of servers that can be simulta-
neously active for a service (the default is no
limit). The value of this attribute can be either a
number or UNLIMITED which means that there is no
limit.
per_source Takes an integer or "UNLIMITED" as an argument. This
specifies the maximum instances of this service per
source IP address. This can also be specified in the
defaults section.
cps Limits the rate of incoming connections. Takes two
arguments. The first argument is the number of con-
nections per second to handle. If the rate of incom-
ing connections is higher than this, the service will
be temporarily disabled. The second argument is the
number of seconds to wait before re-enabling the ser-
vice after it has been disabled. The default for this
setting is 50 incoming connections and the interval is
10 seconds.
max_load Takes a floating point value as the load at which the
service will stop accepting connections. For example:
2 or 2.5. The service will stop accepting connections
at this load. This is the one minute load average.
This is an OS dependent feature, and currently only
Linux, Solaris, and FreeBSD are supported for this.
This feature is only avaliable if xinetd was config-
ured with the -with-loadavg option.
plus per-service rlimit_{as,cpu,data,rss,stack}.
--
Dan Harkless
bugtraq@xxxxxxxxxxxx
http://harkless.org/dan/