xinetd
, a super server that provides additional access, logging, binding, redirection, and resource utilization control.
Note
xinetd
to create redundancy within service access controls. Refer to Section 3.7, “Using Firewalls” for more information about implementing firewalls with iptables commands.
hosts_options
man page for information about the TCP Wrapper functionality and control language.
banner
option.
vsftpd
. To begin, create a banner file. It can be anywhere on the system, but it must have same name as the daemon. For this example, the file is called /etc/banners/vsftpd
and contains the following line:
220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Inappropriate use will result in your access privileges being removed.
%c
token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.
/etc/hosts.allow
file:
vsftpd : ALL : banners /etc/banners/
spawn
directive.
/etc/hosts.deny
file to deny any connection attempts from that network, and to log the attempts to a special file:
ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert
%d
token supplies the name of the service that the attacker was trying to access.
spawn
directive in the /etc/hosts.allow
file.
Note
spawn
directive executes any shell command, it is a good idea to create a special script to notify the administrator or execute a chain of commands in the event that a particular client attempts to connect to the server.
severity
option.
emerg
flag in the log files instead of the default flag, info
, and deny the connection.
/etc/hosts.deny
:
in.telnetd : ALL : severity emerg
authpriv
logging facility, but elevates the priority from the default value of info
to emerg
, which posts log messages directly to the console.
xinetd
to set a trap service and using it to control resource levels available to any given xinetd
service. Setting resource limits for services can help thwart Denial of Service (DoS) attacks. Refer to the man pages for xinetd
and xinetd.conf
for a list of available options.
xinetd
is its ability to add hosts to a global no_access
list. Hosts on this list are denied subsequent connections to services managed by xinetd
for a specified period or until xinetd
is restarted. You can do this using the SENSOR
attribute. This is an easy way to block hosts attempting to scan the ports on the server.
SENSOR
is to choose a service you do not plan on using. For this example, Telnet is used.
/etc/xinetd.d/telnet
and change the flags
line to read:
flags = SENSOR
deny_time = 30
deny_time
attribute are FOREVER, which keeps the ban in effect until xinetd
is restarted, and NEVER, which allows the connection and logs it.
disable = no
SENSOR
is a good way to detect and stop connections from undesirable hosts, it has two drawbacks:
SENSOR
is running can mount a Denial of Service attack against particular hosts by forging their IP addresses and connecting to the forbidden port.
xinetd
is its ability to set resource limits for services under its control.
cps = <number_of_connections> <wait_period>
— Limits the rate of incoming connections. This directive takes two arguments:
<number_of_connections>
— The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).
<wait_period>
— The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.
instances = <number_of_connections>
— Specifies the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED
.
per_source = <number_of_connections>
— Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED
.
rlimit_as = <number[K|M]>
— Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED
.
rlimit_cpu = <number_of_seconds>
— Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED
.
xinetd
service from overwhelming the system, resulting in a denial of service.