Enhancing Security With xinetd

This section focuses on using xinetd to set a trap service and using it to control resource levels available to any given xinetd service. Setting resource limits for services can help thwart Denial of Service (DoS) attacks. Refer to the man pages for xinetd and xinetd.conf for a list of available options.

Setting a Trap

One important feature of xinetd is its ability to add hosts to a global no_access list. Hosts on this list are denied subsequent connections to services managed by xinetd for a specified period or until xinetd is restarted. You can do this using the SENSOR attribute. This is an easy way to block hosts attempting to scan the ports on the server.

The first step in setting up a SENSOR is to choose a service you do not plan on using. For this example, Telnet is used.

Edit the file /etc/xinetd.d/telnet and change the flags line to read:

flags           = SENSOR

Add the following line:

deny_time       = 30

This denies any further connection attempts to that port by that host for 30 minutes. Other acceptable values for the deny_time attribute are FOREVER, which keeps the ban in effect until xinetd is restarted, and NEVER, which allows the connection and logs it.

Finally, the last line should read:

disable         = no

This enables the trap itself.

While using SENSOR is a good way to detect and stop connections from undesirable hosts, it has two drawbacks:

It does not work against stealth scans.

An attacker who knows that a SENSOR is running can mount a Denial of Service attack against particular hosts by forging their IP addresses and connecting to the forbidden port.

Controlling Server Resources

Another important feature of xinetd is its ability to set resource limits for services under its control.

It does this using the following directives:

cps = <number_of_connections> <wait_period> - Limits the rate of incoming connections. This directive takes two arguments:

<number_of_connections> - The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).

<wait_period> - The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.

instances = <number_of_connections> - Specifies the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.
per_source = <number_of_connections> - Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.
rlimit_as = <number[K|M]> - Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.
rlimit_cpu = <number_of_seconds> - Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.

Using these directives can help prevent any single xinetd service from overwhelming the system, resulting in a denial of service.