tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: inetd and libwrap



On Tue, 8 Jul 2008 15:30:34 +0200 (CEST)
Uwe Klaus <uklaus%hgb-leipzig.de@localhost> wrote:

> 
> Last week the pop3 service of our mail server running NetBSD 4.0
> was hit by a password guessing attack. The connection rate was so
> high that the service was disabled immediately.
> 
> Jul  4 18:19:28 mail inetd[14963]: pop3/tcp max spawn rate (200 in 60 
> seconds) exceeded; service not started
> 
> Since inetd was running with libwrap connection logging (-l) I
> added the attackers ip address to /etc/hosts.deny and restarted
> the inetd daemon. But it didn't help. I saw in /var/log/authlog
> that connections were refused.
> 
> Jul  4 18:29:25 mail inetd[8924]: refused connection from
> xxx.xxx.xxx.xxx, service pop3 (tcp)
> 
> But after some seconds the pop3 service was down again.
> 
> Jul  4 18:29:28 mail inetd[9003]: pop3/tcp max spawn rate (200 in 60 
> seconds) exceeded; service not started
> 
> It seems the that the connections refused by libwrap were also
> counted in the sense of maximum number of server instances that
> may be spawned from inetd within an interval of 60 seconds.
> 
> If so libwrap is not usefull to prevent dos attacks.
> 
Adding sshguard to pkgsrc is on my to-do list... 



                --Steve Bellovin, http://www.cs.columbia.edu/~smb


Home | Main Index | Thread Index | Old Index