| geolaw 2004-01-23, 7:33 pm |
| Hello All,
Every now and then we get the following in our syslog:
Jun 16 22:20:46 xxx xinetd[9980]: Deactivating service ftp due to \
excessive incoming connections. Restarting in 30 seconds.
Jun 16 22:21:16 xxx xinetd[9980]: Activating service ftp
I've got logsurfer set up to watch for this and when it sees it, it
does a netstat and counts connections to port 21. If the count is above
10 from 1 IP address, logsurfer blocks this IP with iptables.
This is working great, however, I was thinking that there should be
something built into xinetd which will prevent this.
Sure enough... From the man page for xinetd.conf:
per_source Takes an integer or "UNLIMITED" as an argument. This
specifies the maximum instances of this service per source IP address.
This can also be specified in the defaults section.
I read this as being able to limit the number of incoming connections
from a single IP address. (Correct or Incorrect??) I figured "great -
this is the best way to stop this".
In /etc/xinetd.conf, I have:
defaults
{
....
....
per_source = 5
}
I also have this in /etc/xinetd.d/wu-ftpd:
service ftp
{
....
....
....
per_source = 5
....
....
....
}
The trouble is that neither seems to be working.
I downloaded the src rpm and looked through the source and all the
patches to make sure the per_source option was not something that need to
be turned on during the build. It looks like this should work by
default, but it isn't.
Am I missing something?
Thanks!
Geo
|