Bruce Guenter [mailto:[EMAIL PROTECTED]] write:
> And what happens when somebody tries to actively attack your system?
> With these limits, I expect that a remote user could make your system
> run out of FDs in a few minutes, not to mention memory. With a limit of
> 10000, I could probably open up a thousand or so connections a minute
> without triggering any of inetd's limits, and leave them open.
>
> inetd protects against one thing: rapid attacks. It does not offer any
> protection against total amount of resources used (in the form of number
> of connections). I have never run into a situation where rate
> protection is needed, and have only rarely heard of such situations.
> However, resource starvation is common.
I use tcpserver for qmail - that only makes sense to me because of the load
issues.
But about the other services? I'd perhaps like to use tcpserver for them too..
and I've heard that others have had success with this. But I don't like the
idea of a whole bunch of programs all configured with command line directives
running in the background just for these rarely used services.
Why doesn't somebody patch tcpserver so that one daemon can handle multiple
services and read the configuration all out of one file. That would be really
neat, IMO.
Also, when you tcpserver devotees start railing about how the system can be
attacked with inetd, it rings hollow to me because an attacker could use any
service to attack, right? So if I have inetd in my system I'm vulnerable
whether I used it for qmail or not. Wouldn't it be cooler if you could show the
user how to easily replace inetd with tcpserver all together?
- David
