Description of Problem: We use a per_source configuration value in our wu-ftpd config file for xinetd. We're trying to prevent denial of service attacks, but we have evidence in our logs that a single source IP address can get logged in more times than our configuration says they should. The result is the service is shut down due to excessive connections, and we get paged because our FTP service is down. Version-Release number of selected component (if applicable): xinetd-2.3.3-1 How Reproducible: Steps to Reproduce: 1. 2. 3. Actual Results: Expected Results: Additional Information: # default: on # description: The wu-ftpd FTP server serves FTP connections. It uses \ # normal, unencrypted usernames and passwords for authentication. service ftp { disable = no instances = 25 socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION nice = 10 per_souce = 3 }
Can you try the xinetd at http://people.redhat.com/teg/xinetd/?
Please advise as to whether the trial version of xinetd you pointed to is stable enough to run on a production web or email server. If so, I'll put it up (I guess I also will need to know how to quickly back it out). I've changed the bug back to ASSIGN for your response. Change it to NEEDINFO if you like after responding.
Just a note that we continue to see this issue on production servers. We set the FTP service to be limited to 3 connections per source (i.e. per source IP address) but xinetd allows connections up to the service limit, then shuts off the service by detecting denial of service. We have NOT tried the trial version as yet. We presently have no testbed for reproducing this problem other than high-volume production servers. As such, we are not willing to simply put the next (and arguably untested) version of Xinetd onto that production environment. You're so far giving us the choice of: 1. Install an untested version of software which MAY fix the problem, but may also introduce other problems, security issues, etc., or, 2. Live with denial of service attacks shutting off services. We'd really like a fix to this problem. Please advise how much money to send, and to where, to get this problem properly fixed, QA'd and an errata produced.
Still waiting for a response to whether the trial xinetd is, in your estimation, a total hack to use only for testing, a stable version you think could be safely deployed on a production server with similar level of stability to the present version. I'm happy to test code for you, but you need to be willing to give an opinion as to the state of what you're asking me to test. It's been 6 months since I asked, though.
It should have worked fine. Now, there is a newer version available - the one in Red Hat Linux 7.3. Give that one a try.
OK. I've tested the version of xinetd from RedHat 7.3 (xinetd-2.3.4-0.8). The per_source feature is not functioning in that version either. It would be VERY helpful to have per_source, as it would cut down on one type of DoS attack.
moving to version 7.3 (as 7.0 is no longer supported)
Errata for xinetd (to version 2.3.11) in progress.
An erratum for xinetd taking it to version 2.3.11 is available http://rhn.redhat.com/errata/RHSA-2003-160.html Does this fix this issue?
Shound be fixed by errata, please reopen this bug if not.
Sorry for the slow feedback. Recent errata version seems to function properly.