rate limiting sshd connections ?
Jason Stone
freebsd-security at dfmm.org
Tue May 11 14:33:00 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > Aside from having more connection limiting features inetd is also
> > easier to configure on non-standard ports, uses less memory (1K vs
> > 5K), and has a simpler (and by extension more secure) code base.
>
> As to security I think both code bases have had about the same degree of
> peer review. The smaller size of the inetd code base is what makes it
> more secure.
1) how does this interact with privilege separation? as far as I
understand it, privilege separation implies that no raw data from the
network will ever be touched by a root-running process. I don't expect
that inetd can say the same.
2) if you really are looking for a very simple/secure network listener,
tcpserver from the ucspi-tcp package is going to fit that bill _way_ more
than inetd. and tcpserver also provides rate-limiting, use of arbitrary
ports, an even smaller memory footprint, as well as features that inetd
doesn't have (like setting environment variables based on remote address).
-Jason
--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQFAoUaLswXMWWtptckRAkBeAKDfVrZE5ezanuxyqVmdANVCLJ73swCfTPXv
5sqmuZRai9vd3nsfNqQskN8=
=76iI
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list