[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rate limiting sshd connections ?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > Aside from having more connection limiting features inetd is also
> > easier to configure on non-standard ports, uses less memory (1K vs
> > 5K), and has a simpler (and by extension more secure) code base.
>
> As to security I think both code bases have had about the same degree of
> peer review.  The smaller size of the inetd code base is what makes it
> more secure.

1) how does this interact with privilege separation?  as far as I
understand it, privilege separation implies that no raw data from the
network will ever be touched by a root-running process.  I don't expect
that inetd can say the same.

2) if you really are looking for a very simple/secure network listener,
tcpserver from the ucspi-tcp package is going to fit that bill _way_ more
than inetd.  and tcpserver also provides rate-limiting, use of arbitrary
ports, an even smaller memory footprint, as well as features that inetd
doesn't have (like setting environment variables based on remote address).


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQFAoUaLswXMWWtptckRAkBeAKDfVrZE5ezanuxyqVmdANVCLJ73swCfTPXv
5sqmuZRai9vd3nsfNqQskN8=
=76iI
-----END PGP SIGNATURE-----

Visit your host, monkey.org