Description of Problem: If you use a common security notify script in hosts.allow/ deny and enable linuxconf it will crash xinetd after filling syslog and generating numerous emails for only one port connection where it should have only sent one email. How Reproducible: This was tested against the latest version of xinetd as supplied by Red Hat errata. This was tested against the version of linuxconf as supplied for RH7.1 and against the official linuxoconf release. Enable linuxconf-web Configure network access in linuxconf (this really doesnt matter, you can declare the entire netblock or a single IP) restart xinetd. Have the following scripts installed /etc/hosts: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL : 127.0.0.1 ALL : 192.168.1. EXCEPT 192.168.1.1 (modify for local IP's) /etc/hosts.deny ALL : ALL: spawn (echo Probe from %h to %d at `date` | tee -a /var/log/tcpdeny.log |mail -s IDS_alert! root|beep ) (note this is a commonly available security script, not of my own invention, a google search will show roughly 78 pages/entries).I only added the beep program. eg: redhat-digest Digest V00 #679 22 Jun 2000 17:18:10 -0000 "Date: Thu, 22 Jun 2000 12:03:36 -0400 (EDT) From: "Michael J. McGillick" <mike.mediaone.net> Subject: Re: ftp not working Scott: Add the following line to your /etc/hosts.deny file: ALL: ALL: spawn (echo "Access denied from %u@%h using %d." | mail root) This will mail the root account on your machine to let you know if a particular IP address tried to access one of the services on your machine, and they weren't listeed in /etc/hosts.allow. This should help you track down if the problem is that you simply didn't add the machine you're trying to ftp in from to hosts.allow, or if the problem is not related to TCP wrappers, but something else. - Mike" Steps to Reproduce: 1. Follow all the steps above 2. Run nmap -O against the test machine 3. Watch the bad stuff happen Actual Results: The system starts sending repeated email alerts even after nmap has finished, load average jumped to 7, linuxconf terminates, xinetd loops on the error and fills up the syslog. I still have to get the call trace that happened. Expected Results: This security script normally generates 1 email for each connection not 1294 ( number that I got before I restarted xinetd. Additional Information: Normally when I run nmap against this system I get 4(total) messages for telnet,pop3,ftp and imap Xinetd is still not playing nice with linuxconf. While I understand that linuxconf is depreciated it still was release as part of RH7.1
System misconfiguration - make sure to limit the rates at which you get mailed.
I think this is a mistake to close this bug report. Setting /etc/hosts.deny to ALL : ALL generates about a screenfull of errors. While not as traumatic as the mailer script, it still indicates that this is a bug.
A single request from an invalid location, a single TCP connection generated 35 messages. For sure it is bogus. The whole point of this bug report is not about receiving one mail (or whatever) per rejected connection, but getting an enormous amount, for very few, ultimatly confusing xinetd.