>Date: Tue, 27 Feb 2001 09:55:49 -0800
>From: Kevin Sindhu <kevin@tgivan.com>
>Reply-To: kevin@tgivan.com
>To: OpenBSD Misc <misc@openbsd.org>
>CC: Charles Mendoza <prdtramx@usa.net>,
> "Dennis S. Breckenridge" <dennis.breckenridge@pop-star.net>,
> John Henders <jhenders@bogon.com>, Laird <laird@pop-star.net>,
> Michael Zieger <m.zieger@zmi.at>, Stephen Rasku <rc5tv@home.com>
>Subject: Security(DoS) Problems with Inetd
>
>Many of you already know this from a posting(s) on either bugtrack or on
>NetBSD-users@. Attached with this mail is an exploit (DoS), that kills
>inetd processes. I have been able to reproduce this on:
>
>o OpenBSD 2.8-current
>o NetBSD 1.5-current
>o Solaris 2.7(SPARC and x86)
>o Linux 2.2.17 (Slackware 7.1)
>
>Specifically, as I was told, this is a problem in the way inetd was
>coded and I think Compaq has already issued a Warning for Tru64.
>
>The errors logs on my OpenBSD box are:
>Feb 26 23:45:08 satan inetd[23383]: ftp/tcp server failing (looping),
>service terminated
>
>The service does back on after 10 minutes. So this though not fatal can
>cause some grief on some production networks.
>
>So, basically *any* service you run out of inetd is vulnerable.
>
>The workaround(s) for the moment (for my network) are:
>
>o Take out ftpd from inetd and run it as a daemon
>
>This is fastest way I can keep it up without disruptions.
>
>o Implement xinetd
>
>I have been very impressed by its features.
>
>Looking at solutions, and talking to many people, some of the ideas are:
>
>o Use ipf to block certain host connecting to us in x time..
>
>I am thinking, a shell script running out of cron which is simply a
>awk/perl script that parses ipflog etc and implements are real-time ipf
>rules..I am still open to ideas
>
>o Any suggestions, that you may have
>
>
>PS - For those who read this email and send me a one line reply that,
>"Its not enabled by default", therefore its not a bug, please do *not*
>do so. I know what is enabled by default and what isn't.And not enabled
>by default *does not* mean, its not implemented in the real world..
>
>Looking forward to see your opinion(s), flame(s), suggestion(s) on this.
There are several replacements for inetd. I use Dan Bernstein's
software for running tcp-based services on my OpenBSD boxes.
Installing it couldn't be easier. It's all there in the ports as:
/usr/ports/net/ucspi-tcp
Also consider installing:
/usr/ports/sysutils/daemontools
as it too is very useful.
Documentation can be found at:
ftp://koobera.math.uic.edu/www/software.html
(I also use Dan's dnscache and cdb software and find it all works
very well. However this is outside the scope of the original
question.)
|