5.5 Locking Down Network Services


It is recommended that you do not install the xinetd Internet listener daemon. If you do not need this service, remove the package altogether by using the yum remove xinetd command.

If you must enable xinetd on your system, minimize the network services that xinetd can launch by disabling those services that are defined in the configuration files in /etc/xinetd.d and which are not needed.

To counter potential Denial of Service (DoS) attacks, you can configure the resource limits for such services by editing /etc/xinetd.conf and related configuration files. For example, you can set limits for the connection rate, the number of connection instances to a service, and the number of connections from an IP address:

# Maximum number of connections per second and
# number of seconds for which a service is disabled
# if the maximum number of connections is exceeded
cps             = 50 10

# Maximum number of connections to a service
instances       = 50

# Maximum number of connections from an IP address
per_source      = 10

For more information, see the xinetd(8) and xinetd.conf(5) manual pages.