DoS against wu-2.4.2-academ[BETA-18](1)
Since we are talking about DoS attacks (please forgive if this is known), have you ever tried to open a couple dozen TCP connections to wu.ftpd? Use telnet or nmap and connect to port 21 about 40 times or so. Goodbye wu! You will see a message in your /var/log/warn that says: "inetd[127]: ftp/tcp server failing (looping), service terminated" This works against all my SuSE 6.1 boxes. -Dan
On Thu, Aug 19, 1999 at 02:29:40PM -0400, Shinton, Daniel J. wrote:
Since we are talking about DoS attacks (please forgive if this is known), have you ever tried to open a couple dozen TCP connections to wu.ftpd?
Use telnet or nmap and connect to port 21 about 40 times or so. Goodbye wu!
You will see a message in your /var/log/warn that says: "inetd[127]: ftp/tcp server failing (looping), service terminated"
This works against all my SuSE 6.1 boxes.
Not good... however, you might want to look into proftpd. It is much more secure and configurable. chroot is a treat and easy to configure... plus it works. I've been sleeping better since I installed it on all my critical, exposed, Internet servers, especially the virtual web domain server. -- Brad Shelton On Line Exchange http://online-isp.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, Is someone working on HOWTOs to setup a secure SuSE 6.x Linux firewall? It would be great to have these so that System Administrators could migrate some if not all of their firewall servers to Linux for an inexpensive firewalling purposes. If there are documentations for this, can someone pls post the urls/links of the idiot-proof documentations? Thank you. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://firewire.linux.com.sg _____________________________________________________ Member of Linux Users Group Singapore http://www.lugs.org.sg Editor, Singapore Linux Portal http://www.linux.com.sg -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7xwiGefe0TVuy5lEQK+gACfVp9JxdOSWFUgdsS4s7J0+XcGmPsAn3f+ G/iUd5JH5ASq6TaSyXxj1qug =/ZxO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, Is someone working on HOWTOs to setup a secure SuSE 6.x Linux firewall? It would be great to have these so that System Administrators could migrate some if not all of their firewall servers to Linux for an inexpensive firewalling purposes. If there are documentations for this, can someone pls post the urls/links of the idiot-proof documentations? Thank you. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://firewire.linux.com.sg _____________________________________________________ Member of Linux Users Group Singapore http://www.lugs.org.sg Editor, Singapore Linux Portal http://www.linux.com.sg -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7xwiGefe0TVuy5lEQK+gACfVp9JxdOSWFUgdsS4s7J0+XcGmPsAn3f+ G/iUd5JH5ASq6TaSyXxj1qug =/ZxO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, Is someone working on HOWTOs to setup a secure SuSE 6.x Linux firewall? It would be great to have these so that System Administrators could migrate some if not all of their firewall servers to Linux for an inexpensive firewalling purposes. If there are documentations for this, can someone pls post the urls/links of the idiot-proof documentations? Thank you. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://firewire.linux.com.sg _____________________________________________________ Member of Linux Users Group Singapore http://www.lugs.org.sg Editor, Singapore Linux Portal http://www.linux.com.sg -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7xwiGefe0TVuy5lEQK+gACfVp9JxdOSWFUgdsS4s7J0+XcGmPsAn3f+ G/iUd5JH5ASq6TaSyXxj1qug =/ZxO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, Is someone working on HOWTOs to setup a secure SuSE 6.x Linux firewall? It would be great to have these so that System Administrators could migrate some if not all of their firewall servers to Linux for an inexpensive firewalling purposes. If there are documentations for this, can someone pls post the urls/links of the idiot-proof documentations? Thank you. - -- Moonshi Mohsenruddin moonshi@linux.com.sg Singapore icq:2595480 http://firewire.linux.com.sg _____________________________________________________ Member of Linux Users Group Singapore http://www.lugs.org.sg Editor, Singapore Linux Portal http://www.linux.com.sg -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN7xwiGefe0TVuy5lEQK+gACfVp9JxdOSWFUgdsS4s7J0+XcGmPsAn3f+ G/iUd5JH5ASq6TaSyXxj1qug =/ZxO -----END PGP SIGNATURE-----
On Thu, 19 Aug 1999, Shinton, Daniel J. wrote:
You will see a message in your /var/log/warn that says: "inetd[127]: ftp/tcp server failing (looping), service terminated"
Hello Daniel, this is just a feature of inetd: it limits the forks of one service to 39! That's the reason for being able to steal a lot of resources only via ident, but NOT with the other services in inetd.conf.
This works against all my SuSE 6.1 boxes.
Surely everywhere else too!!! Cheers, Peter BTW: I tested it too: about 250 or so in.identd startet by user nobody, just until the fork-limit of the system is reached, but Mr. Root will always have some forks, to clean up... -- ******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
Hello Peter, you wrote:
You will see a message in your /var/log/warn that says: "inetd[127]: ftp/tcp server failing (looping), service terminated" this is just a feature of inetd: it limits the forks of one service to 39! That's the reason for being able to steal a lot of resources only via ident, but NOT with the other services in inetd.conf. Why doesn't this affect in.identd?
|-inetd---in.identd---43*[in.identd] |-sshd---sshd---bash-+-pstree | `-43*[telnet] BTW: It doesn't work for wu.ftpd either: |-inetd-+-in.identd <- BTW: lingering identd :) | `-42*[wu.ftpd] |-sshd-+-sshd---bash-+-pstree | | `-42*[telnet] Or am I getting it wrong? My system: SuSE 6.0 with SuSE security updates (IIRC including wu.ftpd) -- bye, Michael
On Thu, 19 Aug 1999, Michael Weiser wrote:
this is just a feature of inetd: it limits the forks of one service to 39! That's the reason for being able to steal a lot of resources only via ident, but NOT with the other services in inetd.conf. Why doesn't this affect in.identd?
|-inetd---in.identd---43*[in.identd]
in.identd is a "wait" tcp service, so once the first connection is received, inetd passes of the socket to the newly spawned in.identd and worries no more about it until in.identd returns. The new in.identd, as said elsewhere on this list, handles this request and listens on the port for 120 more seconds, forking any amount of children as necessary to handle new requests (limited by standard settings on max number of processes, but not whatever settings inetd has).
|-sshd---sshd---bash-+-pstree | `-43*[telnet]
BTW: It doesn't work for wu.ftpd either:
|-inetd-+-in.identd <- BTW: lingering identd :) | `-42*[wu.ftpd]
The limit of 40 processes is for within a 60 second period. Perhaps you spawned some of the telnets over more than that? -- ============================================================================== Erwin Andreasen Herlev, Denmark <erw@dde.dk> UNIX System Programmer <URL:http://www.andreasen.org> <*> (not speaking for) DDE ==============================================================================
On Fri, 20 Aug 1999, Erwin S. Andreasen wrote:
On Thu, 19 Aug 1999, Michael Weiser wrote:
this is just a feature of inetd: it limits the forks of one service to 39! That's the reason for being able to steal a lot of resources only via ident, but NOT with the other services in inetd.conf. Why doesn't this affect in.identd?
|-inetd---in.identd---43*[in.identd]
in.identd is a "wait" tcp service, so once the first connection is received, inetd passes of the socket to the newly spawned in.identd and worries no more about it until in.identd returns.
Indeed, and if you want identd to behave like the other services (as ftp), then choose in /etc/inetd.conf: ident stream tcp nowait nobody /usr/sbin/in.identd in.identd -i ^^ ^^ Peter -- ******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
Hello Peter and Erwin, you wrote:
this is just a feature of inetd: it limits the forks of one service to 39! That's the reason for being able to steal a lot of resources only via ident, but NOT with the other services in inetd.conf. Why doesn't this affect in.identd?
|-inetd---in.identd---43*[in.identd] in.identd is a "wait" tcp service, so once the first connection is received, inetd passes of the socket to the newly spawned in.identd and worries no more about it until in.identd returns. Indeed, and if you want identd to behave like the other services (as ftp), then choose in /etc/inetd.conf: ident stream tcp nowait nobody /usr/sbin/in.identd in.identd -i ^^ ^^ Okay, I think I got it. :) Thanks for your time and sorry for almost wasting it. -- bye, Michael
participants (6)
-
Brad Shelton -
Erwin S. Andreasen -
michael@weiser.saale-net.de -
Moonshi Mohsenruddin -
Peter Münster -
Shinton, Daniel J.