improving xinetd in the ipv6 age, and interfacing with iptables/ipsets
Dave Taht
dave.taht at gmail.com
Tue Jan 28 13:32:13 EST 2014
as mentioned on this list a while back, it seems plausible to
protect a router and network a little better with network sensors,
and honeypot technologies, and still do so in a lightweight fashion.
And it seemed easy to make xinetd do just a little bit more
to share information about its problems with ipset and iptables.
I haven't had time to work on this. I got as far as adding parser support
to xinetd for a new "deny_server" argument and there it sat, waiting
for me to decode the internal list of dependencies required to fork a server,
and push info about the connection into env or the command line.
So I just pushed up what little I got up to github and perhaps some
other security minded individual will take the idea on. There's
a README and a notes.org added with where things are.
https://github.com/dtaht/xinetd-deny
If there is something better than xinetd (of near equivalent "weight")
for this sort of stuff, let me know.
but I'm back now to a different salt mine...
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Bloat-devel
mailing list