COMMAND

    inetd

SYSTEMS AFFECTED

    Linux

PROBLEM

    Grzegorz Stelmaszek  found following.   Both DoS`s  use  something
    known as portfuck (e.g. `while true; do telnet host port & done`).

    1. If you use it  against any inetd service, inetd  will shoutdown
       that service for  about 30 minutes  (i did not  checked, but it
       seems to be about that time).

    2. If you  use it against  sshd, you have  99% that you  crash the
       machine in few seconds.

    This was tested on:

        sshd-1.2.26 on Debian 2.0
        sshd-1.2.27 on Debian 2.1
        sshd-1.2.27 on RedHat 5.2

    This allows any user to hang many machines in the Internet.

SOLUTION

    Propaply running in ulimit envirmont (like qmail does) should help
    and additionally in inetd  remove this strange 'protection'.   Why
    run ssh from inetd anyways?  If you're worried about it  crashing,
    use  the  daemontools  package,  and  'supervise'  it.   It'll get
    restarted if the process dies.

    An alternative  to use  is to  install xinetd  and load  sshd into
    xinetd.   Instances control  in xinetd  take care  of that  issue.
    Similar inetd replacements which have instances control would also
    work.   Be  sure  to  use  the  "-i"  flag  since  it's  no longer
    standalone.  A working xinetd config for it would look like:

    service ssh
    {
            socket_type     = stream
            protocol        = tcp
            wait            = no
            user            = root
            server          = /usr/local/sbin/sshd
            server_args     = -i
            instances       = 10
    }

    This kind  of DoS  can be  also avoided  by using  G2S and IPLimit
    instead of Inetd.  Check out

        http://www.jedi.claranet.fr

    for these programs.