Saturday, April 7, 2007

Use Xinetd instead of inetd or TCP wrappers for Access Control and prevention of DOS attacks

Xinetd stands for eXtended InterNET services Daemon. It's a secure replacement for inetd. It's used to start programs that provide internet services. Rather than having these services up and running for anyone to use (or exploit!) xinetd daemon is up listening on all ports for requests for these services. The advantages of using xinetd are to (1) prevent unnecessary resources from being up when no one needs them (2) provide access control to services (3) provide extensive logging capabilities

Some of the capabilites of Xinetd are listed below:
  • limit access according to time of day
  • prevents denial of service (DoS) attacks
  • improved security beyond inetd and beyond TCP wrappers (TCP wrappers can only see one connection at a time.)
  • limit size of log files, so others can't fill up your disk (DoS attack)
  • bind services to specific IP address (This is great for making services available to your private network and not the rest of the world)
  • may be used as a proxy to other systems (Use it in combination with ip_masquerading or NAT to reach the internal network)
  • limit rate of incoming connections, number of connections from a specific host, or total connections for a service.
  • supports IPv6
  • ability to offload services to a remote host

Visit http://www.xinetd.org/ to download xinetd.

No comments: