Patch-ID# 102416-03 Keywords: security server inetd fd limit backlog Synopsis: SunOS 4.1.4: inetd fixes Date: Jul/19/99 Solaris Release: 1.1.2 SunOS Release: 4.1.4 Unbundled Product: Unbundled Release: Relevant Architectures: sparc NOTE: sun4(all) BugId's fixed with this patch: 1214036 1030599 1112111 4154509 Changes incorporated in this version: 4154509 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: sun4/inetd sun4c/inetd sun4m/inetd Problem Description: Bugid 4154509: inetd security problem from "denial of service" attack Bugid 1214036: inetd should have a flag to change listener backlog limit from default value Bugid 1112111: The file descriptor limit on inetd is too low. This patch of inetd make use of the hardlimit for the number of file descriptor which is 1024. Bugid 1030599: inetd refuses to accept more than 40 connects per minute on a particular socket (loop detection) The SS1 is fast enough, that you can end up legitimately calling rsh more than 40 times per minute. This patch adds a new argument, "-r", to inetd that allows you to specify number of connections allowed in the given time in seconds. The default is to allow 40 connections in a 60 second period, E.G: /usr/etc/inetd -r 40 60 Typically for a faster machine you might up this to 60 connections per minute, E.G: /usr/etc/inetd -r 60 60 You will need to edit /etc/rc to make the change permanent each time the machine is rebooted, E.G: ... ... if [ -f /usr/etc/inetd ]; then inetd -r 60 60; echo -n ' inetd' fi ... ... Patch Installation Instructions: ------------------------------- 1) As root, make a backup of the original inetd file: mv /usr/etc/inetd /usr/etc/inetd.FCS chmod 400 /usr/etc/inetd.FCS 2) Copy the new inetd from the patch directory: cp `arch -k`/inetd /usr/etc/inetd 3) chmod 755 /usr/etc/inetd chown root.staff /usr/etc/inetd 4) Reboot the system. Special Install Instructions: ------------------------------- None.