[clue-admin] More server security stuff
Jed S. Baer
thag at frii.com
Sun Mar 27 14:15:50 MST 2005
On Sun, 27 Mar 2005 12:59:34 -0700
David Anselmi wrote:
> > I found no xinetd options which specifically limit, as Greg's quote
> > put it"consecutive connections per host".
>
> That's what per_source does, doesn't it?
Hmmm, I don't think so. I was thinking of "connections" being synonymous
with "attempts", since I don't equate "connect" with "successful login".
The manpage sez: "maximum instances of this service per source IP
address". But I read this as just an absolute limit. If it were otherwise,
i.e. consecutive connects, then (if my machine had a static IP address, or
a DHCP address which doesn't change) my 4th connect to the CLUE server
would just fail, until this parameter were reset.
> I guess that with the above you'll still see log entries. I moved my
> SSH servers off port 22 and they haven't been scanned since (Jafo's
> idea, not mine).
I'd be happy with that, if the other admins are OK with it. Another
advantage of that is that we could then establish a "sensor" xinetd
service on port 22. Again, fro the xinetd.conf manpage:
flags -> SENSOR: This replaces the service with a sensor that detects
accesses to the specified port. NOTE: It will NOT detect stealth scans.
This flag should be used only on services that you know you don___t need.
When an access is made to this service___s port, the IP Address is added to
a global no_access list. This causes all subsequent accesses from the
originating IP address to be denied access until the deny_time setting
expires. The amount of time spent on this list is configurable as the
deny_time attribute. The SENSOR flag will also cause xinetd to consider
the server attribute to be INTERNAL no matter what is typed on the same
line. Another important thing to remember is that if the socket_type is
set to stream, then the wait attribute should be set to no.
Also, a deny_time can be set to use with SENSOR, to limit the time the IP
address is banned.
jed
--
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1 4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier
More information about the clue-admin
mailing list