lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 8 Sep 2003 15:46:37 -0700 (PDT)
From: Mike Hoskins <mike@...pt.org>
To: bugtraq@...urityfocus.com
Subject: Re: 11 years of inetd default insecurity?


On Sun, 7 Sep 2003, Dagmar d'Surreal wrote:
> I see...  So you feel it's better to simply dare an attacker to try to
> invoke three hundred bajillion copies of say, fingerd.  How novel.  I
> can only hope the majority on the list realize why following your
> suggestion is very bad.

luckily, i think anyone that actually reads the entire man page would
understand that.  ;)  from FreeBSD's inetd(8),

"
-c maximum
        Specify the default maximum number of simultaneous invocations of
        each service; the default is unlimited.  May be overridden on a
        per-service basis with the "max-child" parameter.
-C rate
        Specify the default maximum number of times a service can be
        invoked from a single IP address in one minute; the default is
        unlimited.  May be overridden on a per-service basis with the
        "max-connections-per-ip-per-minute" parameter.
-R rate
        Specify the maximum number of times a service can be invoked in
        one minute; the default is 256.  A rate of 0 allows an unlimited
        number of invocations.
-s maximum
        Specify the default maximum number of simultaneous invocations of
        each service from a single IP address; the default is unlimited.
        May be overridden on a per-service basis with the "max-child-per-
        ip" parameter.
"

so there are much better ways to address the problem in modern inetds.
also, OS' i use make installing inetd at all optional.  furthermore, many
Linux' i'm familiar with make xinetd the default...  so this is anything
but 'default insecurity'.

-mrh

--
From: "Spam Catcher" <spam-catcher@...pt.org>
To: spam-catcher@...pt.org
Do NOT send email to the address listed above or
you will be added to a blacklist!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ