Summary

   

The primary problem with inetd itself is that it can be used in denial of service attacks on your machine. As the Internet services superserver, it can start many services that are prone to various vulnerabilities. Therefore, you do not want to turn on any services that you don't need to have running.

To further increase inetd security, you can make use of the TCP Wrappers package, tcpd , that comes with OS X. With TCP Wrappers, you can allow or deny access to TCP services that are started by inetd on a per-host or per-network basis.

Likewise, the primary problem with the default xinetd is that, in spite of its built-in host restriction capabilities, it is also prone to denial of service attacks. Nonetheless, with xinetd , you cannot only control "allow" and "deny" access for services, but you can also control many other aspects of a service. For example, for a given service, you can control the number of servers running, the server priority level, access times, number of connections per source IP address, the rate of incoming connections, the maximum number of CPU seconds, and maximum data size . Such controls can reduce the impact of a denial of service attack on your machine.

Given that the histories of both inetd and xinetd vulnerabilities have included at least one serious vulnerability, it is important to keep current on both of these daemons. For inetd , apply any updates from Apple that include inetd fixes. At least do the same for xinetd . For additional protection, install the latest version of xinetd .


   
Top


Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net