- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Setting instances and per_source to UNLIMITED ...
Operating System - Linux
1752716
Members
5659
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2010 12:14 PM
тАО11-19-2010 12:14 PM
Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable to security attack???
RHEL 5.5 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 50)
per_source = UNLIMITED (default is 10)
SLES 11 SP1 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 30)
and by default per_source is not listed in the xinetd.conf file.
Thanks,
~Bish
RHEL 5.5 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 50)
per_source = UNLIMITED (default is 10)
SLES 11 SP1 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 30)
and by default per_source is not listed in the xinetd.conf file.
Thanks,
~Bish
Solved! Go to Solution.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2010 02:19 PM
тАО11-19-2010 02:19 PM
Solution
Yes, it increases the vulnerability to denial-of-service attacks.
Think about what happens if a malicious person writes a program that rapidly opens e.g. 50 000 connections to one xinetd service. If the limits are set to UNLIMITED, then xinetd will dutifully try to start up 50 000 processes, one for each connection.
Your system will be *really* slow for a while; if the process table fills up, nobody will be able to log in and some important system daemons might crash. Not a good thing.
Resource limits like this exist to allow the system to gracefully reject attempts to overload it, instead of "going down fighting" trying to serve an impossible amount of requests.
MK
Think about what happens if a malicious person writes a program that rapidly opens e.g. 50 000 connections to one xinetd service. If the limits are set to UNLIMITED, then xinetd will dutifully try to start up 50 000 processes, one for each connection.
Your system will be *really* slow for a while; if the process table fills up, nobody will be able to log in and some important system daemons might crash. Not a good thing.
Resource limits like this exist to allow the system to gracefully reject attempts to overload it, instead of "going down fighting" trying to serve an impossible amount of requests.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2010 03:13 PM
тАО11-19-2010 03:13 PM
Re: Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable
Thank You Matti.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2010 03:25 PM
тАО11-19-2010 03:25 PM
Re: Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable
Matti,
For RHEL instances and per_source both are defined (50 & 10 respectively) bug for SLES only instances is defined (30) that meas per_source is considered as UNLIMITED, isn't it.
Though it is again limited by total number of instances to 30. So having per_source = UNLIMITED or commenting it is not really a big problem as over all instances limited.
correct me if i am wrong please.
RHEL 5.5 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 50)
per_source = UNLIMITED (default is 10)
SLES 11 SP1 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 30)
And if the system is behind the firewall in production for the Backup (as Media Server), where backup need to be run as multiple streams of backup concurrently; what is your advice? Set to UNLIMITED or set it as per requirement?
Thanks,
~Bishwajit
For RHEL instances and per_source both are defined (50 & 10 respectively) bug for SLES only instances is defined (30) that meas per_source is considered as UNLIMITED, isn't it.
Though it is again limited by total number of instances to 30. So having per_source = UNLIMITED or commenting it is not really a big problem as over all instances limited.
correct me if i am wrong please.
RHEL 5.5 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 50)
per_source = UNLIMITED (default is 10)
SLES 11 SP1 x86_64
/etc/xinetd.conf
instances = UNLIMITED (default is 30)
And if the system is behind the firewall in production for the Backup (as Media Server), where backup need to be run as multiple streams of backup concurrently; what is your advice? Set to UNLIMITED or set it as per requirement?
Thanks,
~Bishwajit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2010 06:01 PM
тАО11-19-2010 06:01 PM
Re: Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable
>> hink about what happens if a malicious
>> person writes a program that rapidly opens
>> e.g. 50 000 connections to one xinetd
>> service. If the limits are set to UNLIMITED,
>> then xinetd will >>dutifully try to start
>> up 50 000 processes, one for each
>> connection.
A quick question?
To do so does that person has to have the root or any other user access or knowing an IP address of the system is enough to abuse UNLIMITED instances/per_source???
Please respond.
>> person writes a program that rapidly opens
>> e.g. 50 000 connections to one xinetd
>> service. If the limits are set to UNLIMITED,
>> then xinetd will >>dutifully try to start
>> up 50 000 processes, one for each
>> connection.
A quick question?
To do so does that person has to have the root or any other user access or knowing an IP address of the system is enough to abuse UNLIMITED instances/per_source???
Please respond.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-20-2010 10:13 AM
тАО11-20-2010 10:13 AM
Re: Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable
You're correct about the difference between RHEL and SLES: I'd say RHEL's defaults allow for more legitimate uses in parallel, while placing a stricter limit against abuse than SLES. But both are good enough.
Of course, if you're setting up some service that will have more than about 30 simultaneous users, you'll have to change these settings... but xinetd allows you to change the settngs separately for each service, in the service definition files in /etc/xinetd.d/. The defaults are just a starting point: a safe limit for services you're just testing or otherwise haven't felt the need to define specific limits yet.
> And if the system is behind the firewall in production for the Backup (as Media Server), where backup need to be run as multiple streams of backup concurrently; what is your advice? Set to UNLIMITED or set it as per requirement?
I'd expect the presence of a firewall to mean that the risk of an external attack from the Internet is minimized/eliminated. So the limit would exist to protect against firewall misconfigurations, other mistakes and malicious internal users.
I'd find out a rough estimate of the number of connections the backup system needs (perhaps one stream for each filesystem on the host + a fixed number of control streams?), then multiply this limit by maybe 5x or 10x. That should leave plenty of room for capacity expansion, and yet provide reasonable protection against malice or malfunctioning software.
> To do so does that person has to have the root or any other user access or knowing an IP address of the system is enough to abuse UNLIMITED instances/per_source???
No account on the target system is needed. Xinetd does not do authentication at all: any authentication would be the responsibility of the service process started by xinetd. The abuser only requires the knowledge that an abusable port exists and the ability to reach it.
A requirement for authentication would not help; in a denial-of-service attack, the attacker is not interested in logging in or actually using the service in any way. The only objective is to make your system spend as much time as possible in processing nonsense requests.
MK
Of course, if you're setting up some service that will have more than about 30 simultaneous users, you'll have to change these settings... but xinetd allows you to change the settngs separately for each service, in the service definition files in /etc/xinetd.d/. The defaults are just a starting point: a safe limit for services you're just testing or otherwise haven't felt the need to define specific limits yet.
> And if the system is behind the firewall in production for the Backup (as Media Server), where backup need to be run as multiple streams of backup concurrently; what is your advice? Set to UNLIMITED or set it as per requirement?
I'd expect the presence of a firewall to mean that the risk of an external attack from the Internet is minimized/eliminated. So the limit would exist to protect against firewall misconfigurations, other mistakes and malicious internal users.
I'd find out a rough estimate of the number of connections the backup system needs (perhaps one stream for each filesystem on the host + a fixed number of control streams?), then multiply this limit by maybe 5x or 10x. That should leave plenty of room for capacity expansion, and yet provide reasonable protection against malice or malfunctioning software.
> To do so does that person has to have the root or any other user access or knowing an IP address of the system is enough to abuse UNLIMITED instances/per_source???
No account on the target system is needed. Xinetd does not do authentication at all: any authentication would be the responsibility of the service process started by xinetd. The abuser only requires the knowledge that an abusable port exists and the ability to reach it.
A requirement for authentication would not help; in a denial-of-service attack, the attacker is not interested in logging in or actually using the service in any way. The only objective is to make your system spend as much time as possible in processing nonsense requests.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2011 02:59 PM
тАО01-12-2011 02:59 PM
Re: Setting instances and per_source to UNLIMITED in Linux, does it make system vulnerable
Thanks MK
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP