Bugtraq mailing list archives
Re: 11 years of inetd default insecurity?
From: Dan Harkless <bugtraq () harkless org>
Date: Mon, 08 Sep 2003 16:24:39 -0700
On September 6, 2003, 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
II. Who is vulnerable Any system shipped with network daemons launched through inetd (FreeBSD, SuSE, Red Hat, etc.).
^^^^ ^^^ ^^^ On September 8, 2003, 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
IMHO reasonable behavior is limiting a number of requests accepted per second without disabling service. But this code became a kind of saint cow. Only hope is young monsters like xinetd will rid this dinosaur off as a result of evolution.
Recent versions of Red Hat and SuSE default to installing xinetd, not inetd. xinetd offers this commandline option: -limit proc_limit This option places a limit on the number of concurrently running processes that can be started by xinetd. Its purpose is to pre- vent process table overflows. and the following xinetd.conf options: instances determines the number of servers that can be simulta- neously active for a service (the default is no limit). The value of this attribute can be either a number or UNLIMITED which means that there is no limit. per_source Takes an integer or "UNLIMITED" as an argument. This specifies the maximum instances of this service per source IP address. This can also be specified in the defaults section. cps Limits the rate of incoming connections. Takes two arguments. The first argument is the number of con- nections per second to handle. If the rate of incom- ing connections is higher than this, the service will be temporarily disabled. The second argument is the number of seconds to wait before re-enabling the ser- vice after it has been disabled. The default for this setting is 50 incoming connections and the interval is 10 seconds. max_load Takes a floating point value as the load at which the service will stop accepting connections. For example: 2 or 2.5. The service will stop accepting connections at this load. This is the one minute load average. This is an OS dependent feature, and currently only Linux, Solaris, and FreeBSD are supported for this. This feature is only avaliable if xinetd was config- ured with the -with-loadavg option. plus per-service rlimit_{as,cpu,data,rss,stack}. -- Dan Harkless bugtraq () harkless org http://harkless.org/dan/
Current thread:
- 11 years of inetd default insecurity? 3APA3A (Sep 06)
- Re: 11 years of inetd default insecurity? Thamer Al-Harbash (Sep 08)
- Re: 11 years of inetd default insecurity? Dan Stromberg (Sep 08)
- Re: 11 years of inetd default insecurity? Andres Kroonmaa (Sep 10)
- Re: 11 years of inetd default insecurity? Dan Stromberg (Sep 08)
- Re: 11 years of inetd default insecurity? Dagmar d'Surreal (Sep 08)
- Re: 11 years of inetd default insecurity? Mike Hoskins (Sep 09)
- Re: 11 years of inetd default insecurity? Mike Tancsa (Sep 08)
- Re: 11 years of inetd default insecurity? Jonathan A. Zdziarski (Sep 10)
- Re: 11 years of inetd default insecurity? Greg A. Woods (Sep 10)
- Re: 11 years of inetd default insecurity? Jonathan A. Zdziarski (Sep 10)
- Re: 11 years of inetd default insecurity? Dan Harkless (Sep 09)
- Re: 11 years of inetd default insecurity? Darren Pilgrim (Sep 09)
- <Possible follow-ups>
- Re: 11 years of inetd default insecurity? Paul Szabo (Sep 08)
- Re[2]: 11 years of inetd default insecurity? 3APA3A (Sep 08)
- Re: 11 years of inetd default insecurity? Lucas Holt (Sep 08)
- Re: Re[2]: 11 years of inetd default insecurity? Paul Szabo (Sep 08)
- Re[4]: 11 years of inetd default insecurity? 3APA3A (Sep 08)
- RE: 11 years of inetd default insecurity? bjornar.bjorgum.larsen (Sep 09)
- Re: 11 years of inetd default insecurity? Thamer Al-Harbash (Sep 08)