Re: inetd and libwrap

To: Uwe Klaus <uklaus%hgb-leipzig.de@localhost>
Subject: Re: inetd and libwrap
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Tue, 8 Jul 2008 10:16:14 -0400

On Tue, 8 Jul 2008 15:30:34 +0200 (CEST)
Uwe Klaus <uklaus%hgb-leipzig.de@localhost> wrote:

> 
> Last week the pop3 service of our mail server running NetBSD 4.0
> was hit by a password guessing attack. The connection rate was so
> high that the service was disabled immediately.
> 
> Jul  4 18:19:28 mail inetd[14963]: pop3/tcp max spawn rate (200 in 60 
> seconds) exceeded; service not started
> 
> Since inetd was running with libwrap connection logging (-l) I
> added the attackers ip address to /etc/hosts.deny and restarted
> the inetd daemon. But it didn't help. I saw in /var/log/authlog
> that connections were refused.
> 
> Jul  4 18:29:25 mail inetd[8924]: refused connection from
> xxx.xxx.xxx.xxx, service pop3 (tcp)
> 
> But after some seconds the pop3 service was down again.
> 
> Jul  4 18:29:28 mail inetd[9003]: pop3/tcp max spawn rate (200 in 60 
> seconds) exceeded; service not started
> 
> It seems the that the connections refused by libwrap were also
> counted in the sense of maximum number of server instances that
> may be spawned from inetd within an interval of 60 seconds.
> 
> If so libwrap is not usefull to prevent dos attacks.
> 
Adding sshguard to pkgsrc is on my to-do list... 



                --Steve Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: inetd and libwrap
  - From: Jeremy C. Reed

References:
- inetd and libwrap
  - From: Uwe Klaus

Prev by Date: inetd and libwrap
Next by Date: Re: inetd and libwrap
Previous by Thread: inetd and libwrap
Next by Thread: Re: inetd and libwrap
Indexes:

Home | Main Index | Thread Index | Old Index