Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 650

Chapter 43. Securing Your Network
Service (DoS) attacks. Refer to the man pages for xinetd and xinetd.conf for a list of available
options.
43.2.1.2.1. Setting a Trap
One important feature of xinetd is its ability to add hosts to a global no_access list. Hosts on this
list are denied subsequent connections to services managed by xinetd for a specified period or until
xinetd is restarted. You can do this using the SENSOR attribute. This is an easy way to block hosts
attempting to scan the ports on the server.
The first step in setting up a SENSOR is to choose a service you do not plan on using. For this
example, Telnet is used.
Edit the file /etc/xinetd.d/telnet and change the flags line to read:
flags = SENSOR
Add the following line:
deny_time = 30
This denies any further connection attempts to that port by that host for 30 minutes. Other acceptable
values for the deny_time attribute are FOREVER, which keeps the ban in effect until xinetd is
restarted, and NEVER, which allows the connection and logs it.
Finally, the last line should read:
disable = no
This enables the trap itself.
While using SENSOR is a good way to detect and stop connections from undesirable hosts, it has two
drawbacks:
• It does not work against stealth scans.
• An attacker who knows that a SENSOR is running can mount a Denial of Service attack against
particular hosts by forging their IP addresses and connecting to the forbidden port.
43.2.1.2.2. Controlling Server Resources
Another important feature of xinetd is its ability to set resource limits for services under its control.
It does this using the following directives:
• cps = <number_of_connections> <wait_period> — Limits the rate of incoming
connections. This directive takes two arguments:
• <number_of_connections> — The number of connections per second to handle. If the rate of
incoming connections is higher than this, the service is temporarily disabled. The default value is
fifty (50).
624