From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: [Cerowrt-devel] improving security: xinetd
Date: Thu, 16 Jan 2014 20:22:07 -0500 [thread overview]
Message-ID: <CAA93jw5MBwA0FAg4d0jT2Yg1z1Gyw=m+ydg8WhXnmGKgE1vTow@mail.gmail.com> (raw)
in terms of a stable release, improving security some more has been
weighing on my mind.
One of the things cero does differently than openwrt
is that it uses the xinetd daemon. It rather than having things like dropbear
or rsync listening directly on ports, and specifically only allows access
to certain services (like ssh) from certain ip addresses.
There are also sensors for connection attempts via ftp or telnet that
disable all services when someone accesses them, for 120 minutes by
default.
See the /etc/xinetd.conf and /etc/xinetd.d dir for details
However this layer of defense is incomplete as several processes, notably the
configuration gui, upnp, and so on are separate daemons with their own
access controls. Worse, many attacks nowadays come from the inside,
and should be dealt with...
Since we've been fiddling with ipsets on the bcp38 front it would be
rather easy to hook up xinetd's mechanism with that to do the same
blocking for *all* services from that specific IP. All it needs is a
fork and exec in the sensor to run a script like this:
#!/bin/sh
# $1 = addr type (ipv4 or ipv6)
# $2 = addr
# $3 = timeout in seconds
ipset add badboys-$1 $1 timeout $3
...
and use the firewall rules to check that ipset for badboy IPs.
the xinetd.org site is dead seemingly, but copies of the last release
are widely available. Would probably be a very small patch if someone
wants to
take it on...
is there anything else out there as tight and secure as xinetd for
spawning network services or doing intrusion monitoring?
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next reply other threads:[~2014-01-17 1:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-17 1:22 Dave Taht [this message]
2014-01-17 23:24 ` David Lang
2014-01-17 23:29 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw5MBwA0FAg4d0jT2Yg1z1Gyw=m+ydg8WhXnmGKgE1vTow@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox