improving xinetd in the ipv6 age, and interfacing with iptables/ipsets

Dave Taht dave.taht at gmail.com
Tue Jan 28 13:32:13 EST 2014


as mentioned on this list a while back, it seems plausible to
protect a router and network a little better with network sensors,
and honeypot technologies, and still do so in a lightweight fashion.

And it seemed easy to make xinetd do just a little bit more
to share information about its problems with ipset and iptables.

I haven't had time to work on this. I got as far as adding parser support
to xinetd for a new "deny_server" argument and there it sat, waiting
for me to decode the internal list of dependencies required to fork a server,
and push info about the connection into env or the command line.

So I just pushed up what little I got up to github and perhaps some
other security minded individual will take the idea on. There's
a README and a notes.org added with where things are.

https://github.com/dtaht/xinetd-deny

If there is something better than xinetd (of near equivalent "weight")
for this sort of stuff, let me know.

but I'm back now to a different salt mine...






-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html



More information about the Bloat-devel mailing list