From: David Lang <david@lang.hm>
To: Dave Taht <dave.taht@gmail.com>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] improving security: xinetd
Date: Fri, 17 Jan 2014 15:24:02 -0800 (PST) [thread overview]
Message-ID: <alpine.DEB.2.02.1401171521330.9790@nftneq.ynat.uz> (raw)
In-Reply-To: <CAA93jw5MBwA0FAg4d0jT2Yg1z1Gyw=m+ydg8WhXnmGKgE1vTow@mail.gmail.com>
On Thu, 16 Jan 2014, Dave Taht wrote:
> in terms of a stable release, improving security some more has been
> weighing on my mind.
>
> One of the things cero does differently than openwrt
> is that it uses the xinetd daemon. It rather than having things like dropbear
> or rsync listening directly on ports, and specifically only allows access
> to certain services (like ssh) from certain ip addresses.
>
> There are also sensors for connection attempts via ftp or telnet that
> disable all services when someone accesses them, for 120 minutes by
> default.
this seems like something that's unreasonable to do on something exposed to the
Internet. There's a very real probability that this will result in you being
unable to access your router because it's always in this 'lockdown' mode. I
don't object to the capability being there, but I do object to it being on by
default, especially for such a long lockout period.
If you make the lockout per-IP then it may be reasonable, but this could result
in a lot of IPs in your block list.
David Lang
> See the /etc/xinetd.conf and /etc/xinetd.d dir for details
>
> However this layer of defense is incomplete as several processes, notably the
> configuration gui, upnp, and so on are separate daemons with their own
> access controls. Worse, many attacks nowadays come from the inside,
> and should be dealt with...
>
> Since we've been fiddling with ipsets on the bcp38 front it would be
> rather easy to hook up xinetd's mechanism with that to do the same
> blocking for *all* services from that specific IP. All it needs is a
> fork and exec in the sensor to run a script like this:
>
> #!/bin/sh
> # $1 = addr type (ipv4 or ipv6)
> # $2 = addr
> # $3 = timeout in seconds
>
> ipset add badboys-$1 $1 timeout $3
>
> ...
>
> and use the firewall rules to check that ipset for badboy IPs.
>
> the xinetd.org site is dead seemingly, but copies of the last release
> are widely available. Would probably be a very small patch if someone
> wants to
> take it on...
>
> is there anything else out there as tight and secure as xinetd for
> spawning network services or doing intrusion monitoring?
>
>
next prev parent reply other threads:[~2014-01-17 23:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-17 1:22 Dave Taht
2014-01-17 23:24 ` David Lang [this message]
2014-01-17 23:29 ` Dave Taht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.02.1401171521330.9790@nftneq.ynat.uz \
--to=david@lang.hm \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox