NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2003-09

Re: 11 years of inetd default insecurity?

From: Dan Harkless (bugtraqharkless.org)
Date: Mon Sep 08 2003 - 18:24:39 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On September 6, 2003, 3APA3A <3APA3ASECURITY.NNOV.RU> wrote:
> II. Who is vulnerable
>
> Any system shipped with network daemons launched through inetd (FreeBSD,
> SuSE, Red Hat, etc.).
^^^^ ^^^ ^^^

On September 8, 2003, 3APA3A <3APA3ASECURITY.NNOV.RU> wrote:
> IMHO reasonable behavior is limiting a number of requests accepted per
> second without disabling service. But this code became a kind of saint
> cow. Only hope is young monsters like xinetd will rid this dinosaur off
> as a result of evolution.

Recent versions of Red Hat and SuSE default to installing xinetd, not
inetd. xinetd offers this commandline option:

       -limit proc_limit
              This option places a limit on the number of concurrently running
              processes that can be started by xinetd. Its purpose is to pre-
              vent process table overflows.

and the following xinetd.conf options:

       instances determines the number of servers that can be simulta-
                        neously active for a service (the default is no
                        limit). The value of this attribute can be either a
                        number or UNLIMITED which means that there is no
                        limit.

       per_source Takes an integer or "UNLIMITED" as an argument. This
                        specifies the maximum instances of this service per
                        source IP address. This can also be specified in the
                        defaults section.

       cps Limits the rate of incoming connections. Takes two
                        arguments. The first argument is the number of con-
                        nections per second to handle. If the rate of incom-
                        ing connections is higher than this, the service will
                        be temporarily disabled. The second argument is the
                        number of seconds to wait before re-enabling the ser-
                        vice after it has been disabled. The default for this
                        setting is 50 incoming connections and the interval is
                        10 seconds.

       max_load Takes a floating point value as the load at which the
                        service will stop accepting connections. For example:
                        2 or 2.5. The service will stop accepting connections
                        at this load. This is the one minute load average.
                        This is an OS dependent feature, and currently only
                        Linux, Solaris, and FreeBSD are supported for this.
                        This feature is only avaliable if xinetd was config-
                        ured with the -with-loadavg option.

plus per-service rlimit_{as,cpu,data,rss,stack}.

--
Dan Harkless
bugtraqharkless.org
http://harkless.org/dan/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]