Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
51525354555657585960
Securing Services With TCP Wrappers and xinetd
41
Edit the file /etc/xinetd.d/telnet and change the flags line to read:
flags = SENSOR
Add the following line:
deny_time = 30
This denies any further connection attempts to that port by that host for 30 minutes. Other acceptable
values for the deny_time attribute are FOREVER, which keeps the ban in effect until xinetd is
restarted, and NEVER, which allows the connection and logs it.
Finally, the last line should read:
disable = no
This enables the trap itself.
While using SENSOR is a good way to detect and stop connections from undesirable hosts, it has two
drawbacks:
It does not work against stealth scans.
An attacker who knows that a SENSOR is running can mount a Denial of Service attack against
particular hosts by forging their IP addresses and connecting to the forbidden port.
2.2.1.2.2. Controlling Server Resources
Another important feature of xinetd is its ability to set resource limits for services under its control.
It does this using the following directives:
cps = <number_of_connections> <wait_period> — Limits the rate of incoming
connections. This directive takes two arguments:
<number_of_connections> — The number of connections per second to handle. If the rate of
incoming connections is higher than this, the service is temporarily disabled. The default value is
fifty (50).
<wait_period> — The number of seconds to wait before re-enabling the service after it has
been disabled. The default interval is ten (10) seconds.
instances = <number_of_connections> — Specifies the total number of connections
allowed to a service. This directive accepts either an integer value or UNLIMITED.
per_source = <number_of_connections> — Specifies the number of connections allowed to
a service by each host. This directive accepts either an integer value or UNLIMITED.
rlimit_as = <number[K|M]> — Specifies the amount of memory address space the service
can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.
rlimit_cpu = <number_of_seconds> — Specifies the amount of time in seconds that a
service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.
Using these directives can help prevent any single xinetd service from overwhelming the system,
resulting in a denial of service.