tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

inetd and libwrap




Last week the pop3 service of our mail server running NetBSD 4.0
was hit by a password guessing attack. The connection rate was so
high that the service was disabled immediately.

Jul 4 18:19:28 mail inetd[14963]: pop3/tcp max spawn rate (200 in 60 seconds) exceeded; service not started

Since inetd was running with libwrap connection logging (-l) I
added the attackers ip address to /etc/hosts.deny and restarted
the inetd daemon. But it didn't help. I saw in /var/log/authlog
that connections were refused.

Jul 4 18:29:25 mail inetd[8924]: refused connection from xxx.xxx.xxx.xxx, service pop3 (tcp)

But after some seconds the pop3 service was down again.

Jul 4 18:29:28 mail inetd[9003]: pop3/tcp max spawn rate (200 in 60 seconds) exceeded; service not started

It seems the that the connections refused by libwrap were also
counted in the sense of maximum number of server instances that
may be spawned from inetd within an interval of 60 seconds.

If so libwrap is not usefull to prevent dos attacks.

Best regards,
Uwe



Home | Main Index | Thread Index | Old Index