[31501] in bugtraq
Re: 11 years of inetd default insecurity?
daemon@ATHENA.MIT.EDU (Mike Hoskins)
Tue Sep 9 15:11:39 2003
Date: Mon, 8 Sep 2003 15:46:37 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: bugtraq@securityfocus.com
In-Reply-To: <1062971991.411.31.camel@lanshark.kung.foo>
Message-ID: <20030908153736.M64137@fubar.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sun, 7 Sep 2003, Dagmar d'Surreal wrote:
> I see... So you feel it's better to simply dare an attacker to try to
> invoke three hundred bajillion copies of say, fingerd. How novel. I
> can only hope the majority on the list realize why following your
> suggestion is very bad.
luckily, i think anyone that actually reads the entire man page would
understand that. ;) from FreeBSD's inetd(8),
"
-c maximum
Specify the default maximum number of simultaneous invocations of
each service; the default is unlimited. May be overridden on a
per-service basis with the "max-child" parameter.
-C rate
Specify the default maximum number of times a service can be
invoked from a single IP address in one minute; the default is
unlimited. May be overridden on a per-service basis with the
"max-connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
-s maximum
Specify the default maximum number of simultaneous invocations of
each service from a single IP address; the default is unlimited.
May be overridden on a per-service basis with the "max-child-per-
ip" parameter.
"
so there are much better ways to address the problem in modern inetds.
also, OS' i use make installing inetd at all optional. furthermore, many
Linux' i'm familiar with make xinetd the default... so this is anything
but 'default insecurity'.
-mrh
--
From: "Spam Catcher" <spam-catcher@adept.org>
To: spam-catcher@adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!
