Additional Resources - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
are using internal-only IP addresses, are not available from outside the gateway system. However,
when certain services controlled by xinetd are configured with the bind and redirect options,
the gateway machine can act as a proxy between outside systems and a particular internal machine
configured to provide the service. In addition, the various xinetd access control and logging options
are also available for additional protection.
43.5.4.3.4. Resource Management Options
The xinetd daemon can add a basic level of protection from Denial of Service (DoS) attacks. The
following is a list of directives which can aid in limiting the effectiveness of such attacks:
• per_source — Defines the maximum number of instances for a service per source IP address. It
accepts only integers as an argument and can be used in both xinetd.conf and in the service-
specific configuration files in the xinetd.d/ directory.
• cps — Defines the maximum number of connections per second. This directive takes two integer
arguments separated by white space. The first argument is the maximum number of connections
allowed to the service per second. The second argument is the number of seconds that xinetd
must wait before re-enabling the service. It accepts only integers as arguments and can be used in
either the xinetd.conf file or the service-specific configuration files in the xinetd.d/ directory.
• max_load — Defines the CPU usage or load average threshold for a service. It accepts a floating
point number argument.
The load average is a rough measure of how many processes are active at a given time. See the
uptime, who, and procinfo commands for more information about load average.
There are more resource management options available for xinetd. Refer to the xinetd.conf man
page for more information.

43.5.5. Additional Resources

More information about TCP Wrappers and xinetd is available from system documentation and on
the Internet.
43.5.5.1. Installed Documentation
The documentation on your system is a good place to start looking for additional configuration options
for TCP Wrappers, xinetd, and access control.
• /usr/share/doc/tcp_wrappers-<version>/ — This directory contains a README file that
discusses how TCP Wrappers work and the various hostname and host address spoofing risks that
exist.
• /usr/share/doc/xinetd-<version>/ — This directory contains a README file that discusses
aspects of access control and a sample.conf file with various ideas for modifying service-specific
configuration files in the /etc/xinetd.d/ directory.
• TCP Wrappers and xinetd-related man pages — A number of man pages exist for the various
applications and configuration files involved with TCP Wrappers and xinetd. The following are
some of the more important man pages:
Server Applications
• man xinetd — The man page for xinetd.
666