Chapter 5. Server Security
47
5.1.2.1. Setting a Trap
One important feature of
xinetd
is its ability to add hosts to a global
no_access
list. Hosts on this
list are denied subsequent connections to services managed by
xinetd
for a specified length of time
or until
xinetd
is restarted. This is accomplished using the
SENSOR
attribute. This technique is an
easy way to block hosts attempting to port scan the server.
The first step in setting up a
SENSOR
is to choose a service you do not plan on using. For this example,
Telnet will be used.
Edit the file
/etc/xinetd.d/telnet
and change the line
flags
line to read:
flags
= SENSOR
Add the following line within the braces:
deny_time
= 30
This will deny the host that attempted to connect to the port for 30 minutes. Other acceptable values
for the
deny_time
attribute are FOREVER, which keeps the ban in effect until
xinetd
is restarted,
and NEVER, which allows the connection and logs it.
Finally, the last line should read:
disable
= no
While using
SENSOR
is a good way to detect and stop connections from nefarious hosts, it has two
drawbacks:
It will not work against stealth scans.
An attacker who knows you are running
SENSOR
can mount a denial of service attack against
particular hosts by forging their IP addresses and connecting to the forbidden port.
5.1.2.2. Controlling Server Resources
Another important feature of
xinetd
is its ability to control the amount of resources services under
its control can utilize.
It does this by way of the following directives:
  cps =
number_of_connections
wait_period
  Dictates the connections allowed
   
to the service per second. This directive accepts only integer values.
  instances =
number_of_connections
  Dictates the total number of connections al 
lowed to a service. This directive accepts either an integer value or
UNLIMITED
.
  per_source =
number_of_connections
  Dictates the connections allowed to a service
by each host. This directive accepts either an integer value or
UNLIMITED
.
  rlimit_as =
number[K|M]
  Dictates the amount of memory address space the service
can occupy in kilobytes or megabytes. This directive accepts either an integer value or
UNLIMITED
.
  rlimit_cpu =
number_of_seconds
  Dictates the amount of time in seconds that a ser 
vice may occupy the CPU. This directive accepts either an integer value or
UNLIMITED
.
Using these directives can help prevent any one
xinetd
service from overwhelming the system,
resulting in a denial of service.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved