Re: Disable service identification

I reproduced the state where inetd doesn't allow telnet, ftp, etc...  I checked 
the console as well as the messages log and found nothing, other than an xaudio 
error message.

In the end, I think we are going to pound out xaudio in inetd.conf.  These are 
servers and don't do an xwindows at all.

Thanks for the info, it was very helpful.

Pete
  ----- Original Message ----- 
  From: Devitto, Dom 
  To: nessus@list.nessus.org 
  Sent: Friday, July 13, 2007 11:47 AM
  Subject: RE: Disable service identification


  Michel is still right.



  Inetd is trying to start the non-existent executable, when a connection is 
made, and can't, so terminates the connection immediately.



  Further connections from Nessus, with a short, or nearly no delay, do the 
same, and inetd will detect this *perfectly correctly*, as a misconfigured 
inetd.conf.  As it's misconfigured it then backs off and doesn't allow any 
further connections for a while.  This is the documented behaviour of Solaris 8:



             -r  count interval



             count  and interval are decimal numbers that represent

             the  maximum   count  of  invocations  per interval of

             seconds a service may be started before the service is

             considered  ``broken.''



             Once considered ``broken,'' a server is suspended  for

             ten  minutes.   After ten minutes, inetd again enables

             service, hoping the server behaves correctly.



             If the -r flag is  not  specified,  inetd  behaves  as

             though -r40 60 was specified.



  So you would expect, by default 40 connections in under 60 seconds of your 
misconfigured Xaudio service to result in a 10 minute suspension of the Xaudio 
service.



  Anything beyond this behaviour (e.g. disabling telnet in any way) is a 
Solaris 8 bug, and certainly nothing to do with Nessus.



  Dom

  Dom De Vitto  | Security Consultant

  Virgin Media,  Crawley Court, Crawley, Winchester, Hants, SO21 2QA

  M: 07855 805 271   D: 01483 87 5500   E: Dom.DeVitto@VirginMedia.co.uk

  -----Original Message-----
  From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org] 
On Behalf Of Pete Duffin
  Sent: 12 July 2007 22:34
  To: Michel Arboi
  Cc: nessus@list.nessus.org
  Subject: Re: Disable service identification



  I'll have a look in the morning regarding the messages you mentioned.



  However, I pounded out xaudio in inetd.conf and the problem is now gone. 

  Interestingly enough, this is the line in inetd.conf:



  xaudio        stream   tcp              wait     root 

  /usr/openwin/bin/Xaserver              Xaserver -noauth -inetd



  The binary /usr/openwin/bin/Xaserver  does not exist on the box.  Not sure 

  if that has something to do with it.



  There are about 600 or so solaris 8 boxes, all with the same inetd.conf, all 

  with this problem.  I'm hoping xaudio was the problem.  They are servers, so 

  audio isn't needed.





  ----- Original Message ----- 

  From: "Michel Arboi" <mikhail@nessus.org>

  To: "Pete Duffin" <pduffin@blabbernet.net>

  Cc: <nessus@list.nessus.org>

  Sent: Thursday, July 12, 2007 4:40 PM

  Subject: Re: Disable service identification





  Le Thu, 12 Jul 2007 16:30:26 -0400,

  "Pete Duffin" <pduffin@blabbernet.net> a écrit :



  > Do you recall if xaudio has ever been a problem with Nessus?



  No.



  I am convinced that your problem is the classical rate limitation on

  inetd. Have you seen something like "telnet/tcp server failing

  (looping), service terminated" on your console or in /var/log/messages?



  Solaris is not uncommon and I'd be very surprised if a denial of

  service against such a critical component would have been unnoticed

  until now. 



  _______________________________________________

  Nessus mailing list

  Nessus@list.nessus.org

  http://mail.nessus.org/mailman/listinfo/nessus


------------------------------------------------------------------------------
Save Paper - Do you really need to print this e-mail?

Visit www.virginmedia.com for more information, and more fun.

This email and any attachments are or may be confidential and legally 
privileged and are sent solely for the attention of the addressee(s). If you 
have received this email in error, please delete it from your system: its use, 
disclosure or copying is unauthorised. Statements and opinions expressed in 
this email may not represent those of Virgin Media. Any representations or 
commitments in this email are subject to contract. Please note that we are 
migrating our email addresses to a company wide address of 
"@virginmedia.co.uk". If you are sending to a Telewest or ntl email address 
your email will be re-directed. 

Registered office: 160 Great Portland Street, London W1W 5QA. Registered in 
England and Wales with number 2591237


==============================================================================



------------------------------------------------------------------------------


  _______________________________________________
  Nessus mailing list
  Nessus@list.nessus.org
  http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus