List Info

Thread: inetd and restrictions based on IP
inetd and restrictions based on IP
country flaguser name
United States		 2007-02-10 09:46:35 
The following is from FreeBSD's inetd(8) man page:

-C rate
        Specify the default maximum number of times a
service can be
        invoked from a single IP address in one minute; the
default is
        unlimited.  May be overridden on a per-service basis
with the
        "max-connections-per-ip-per-minute"
parameter.

-s maximum
        Specify the default maximum number of simultaneous
invocations of
        each service from a single IP address; the default
is unlimited.
        May be overridden on a per-service basis with the
"max-child-per-
        ip" parameter.

Any objections to this being implemented/copied over to
NetBSD? (I want to 
ask before I work on it more. I can provide a patch here. Is
this an okay 
list for discussing this?)

I recall a PR about this, but can't find now.

There are a few other ideas there too for setting max
invocations in a 
minute from command line and max simultaneous of a service
from command 
line.

This morning my inetd-managed mail retrieval was dead
because of "max 
spawn rate ... exceeded" because it was getting
continually attacked. (I 
stopped that with a -blackhole route.) Or if you have an
easier or better 
suggestion on keeping my inetd-based service available to
me, please let 
me know.

  Jeremy C. Reed
Re: inetd and restrictions based on IP
country flaguser name
Germany		 2007-02-10 11:12:34 
On Sat, 10 Feb 2007, Jeremy C. Reed wrote:
> -C rate
>        Specify the default maximum number of times a
service can be
>        invoked from a single IP address in one minute;
the default is
>        unlimited.  May be overridden on a per-service
basis with the
>        "max-connections-per-ip-per-minute"
parameter.

>From our inetd(8) manpage:

 	...
 	The fields of the configuration file are as follows:

            [addr:]service-name
            socket-type
            protocol[,sndbuf=size][,rcvbuf=size]
            wait/nowait[:max]
 			^^^
 	   ...

      The
      optional ``max'' suffix (separated from ``wait'' or
``nowait'' by a dot
      or a colon) specifies the maximum number of server
instances that may be
      spawned from inetd within an interval of 60 seconds. 
When omitted,
      ``max'' defaults to 40.


  - Hubert
Re: inetd and restrictions based on IP
country flaguser name
United States		 2007-02-10 11:23:53 
On Sat, 10 Feb 2007, Hubert Feyrer wrote:

> > > From our inetd(8) manpage:

>            wait/nowait[:max]

I think all implementations of inetd have that feature and I
have used it 
for ten years.

I do not want to just raise that default.

I want to stop the abuse.

  Jeremy C. Reed
Re: inetd and restrictions based on IP
country flaguser name
Germany		 2007-02-10 11:39:09 
On Sat, Feb 10, 2007 at 06:12:34PM +0100, Hubert Feyrer
wrote:
> On Sat, 10 Feb 2007, Jeremy C. Reed wrote:
> >-C rate
> >       Specify the default maximum number of times
a service can be
> >       invoked from a single IP address in one
minute; the default is
> >       unlimited.  May be overridden on a
per-service basis with the
> >      
"max-connections-per-ip-per-minute" parameter.
> 
> >From our inetd(8) manpage:
[..]
>      The optional ``max'' suffix (separated from
``wait'' or ``nowait'' by a
>      dot or a colon) specifies the maximum number of
server instances that
>      may be spawned from inetd within an interval of 60
seconds.  When
>      omitted, ``max'' defaults to 40.

Jeremy is proposing a limit for a single IP and not for all
IPs.

I would like to see the changes integrated.

Bernd
re: inetd and restrictions based on IP
country flaguser name
Australia		 2007-02-11 02:24:16 
seems like a good idea.


.mrg.
[1-5]

about | contact  Other archives ( Real Estate discussion Medical topics )