Recommendations for Configuring Systems That Run inetd Based Services - Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle® Solaris 11.3

Language:

Recommendations for Configuring Systems That Run `inetd` Based Services

To safeguard against potential security vulnerabilities, you should configure systems that are running necessary inetd based services so that the number of concurrent processes are limited. In addition, if a service that is controlled by the inetd daemon is not required disable that service. See Stopping a Service in Managing System Services in Oracle Solaris 11.3 for instructions.

The inetd daemon is the delegated restarter for Internet services for the Service Management Facility (SMF). Use the inetadm command to display a list of the services that are controlled by inetd:

$ inetadm
ENABLED   STATE        FMRI
disabled  disabled     svc:/application/cups/in-lpd:default
enabled   online       svc:/network/finger:default
disabled  disabled     svc:/application/x11/xvnc-inetd:default

Then, decide on the desired maximum number of concurrent processes for a given service and set allowable limits for that service by using the inetadm command to set the max_copies property for the specified service.

For example, you would set a limit of concurrent instances for the finger service to 3 as follows:

# inetadm -m svc:/network/finger:default max_copies=3

Then, verify the change as follows:

$ inetadm -l finger | grep copies
max_copies=3

The –l option displays the current values for all of the properties of a specified service.

Use the –p option to list the properties that are common to all services that are managed by the inetd daemon and their default values.

$ inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=FALSE
tcp_wrappers=FALSE
connection_backlog=10
tcp_keepalive=FALSE

The -1 value for the max_copies property means that by default the number of processes that can run concurrently is not limited.

Note - Because it is difficult to determine a limit that is appropriate for all customers and all environments, Oracle does not provide a generic default limit recommendation for this value.

Use the –m option to modify the value of a property for a specified service. For example, you would limit the number of finger processes that can run concurrently to 5 as follows:

$ inetadm -m svc:/network/finger:default max_copies=5
$ inetadm -l finger | grep copies
max_copies=5

For more information, see the inetadm(1M) man page.