Re: 11 years of inetd default insecurity?

[Dan Harkless <bugtraq () harkless org>]

On September 6, 2003, 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd (FreeBSD,
> SuSE, Red Hat, etc.).
  ^^^^  ^^^ ^^^

On September 8, 2003, 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
> IMHO  reasonable  behavior is limiting a number of requests accepted per
> second  without  disabling service. But this code became a kind of saint
> cow.  Only hope is young monsters like xinetd will rid this dinosaur off
> as a result of evolution.

Recent versions of Red Hat and SuSE default to installing xinetd, not
inetd.  xinetd offers this commandline option:

       -limit proc_limit
              This option places a limit on the number of concurrently running
              processes that can be started by xinetd.  Its purpose is to pre-
              vent process table overflows.

and the following xinetd.conf options:

       instances        determines  the number of servers that can be simulta-
                        neously active  for  a  service  (the  default  is  no
                        limit).  The  value  of this attribute can be either a
                        number or UNLIMITED  which  means  that  there  is  no
                        limit.

       per_source       Takes  an integer or "UNLIMITED" as an argument.  This
                        specifies the maximum instances of  this  service  per
                        source  IP address.  This can also be specified in the
                        defaults section.

       cps              Limits the rate of incoming  connections.   Takes  two
                        arguments.   The  first argument is the number of con-
                        nections per second to handle.  If the rate of  incom-
                        ing  connections is higher than this, the service will
                        be temporarily disabled.  The second argument  is  the
                        number  of seconds to wait before re-enabling the ser-
                        vice after it has been disabled.  The default for this
                        setting is 50 incoming connections and the interval is
                        10 seconds.

       max_load         Takes a floating point value as the load at which  the
                        service will stop accepting connections.  For example:
                        2 or 2.5.  The service will stop accepting connections
                        at  this  load.   This is the one minute load average.
                        This is an OS dependent feature,  and  currently  only
                        Linux,  Solaris,  and  FreeBSD are supported for this.
                        This feature is only avaliable if xinetd  was  config-
                        ured with the -with-loadavg option.

plus per-service rlimit_{as,cpu,data,rss,stack}.

--
Dan Harkless
bugtraq () harkless org
http://harkless.org/dan/