Introduction to TCP Wrappers
TCP_Wrappers is a security tool that works on the fourth layer (transport layer). It performs security detection and access control for specific services of stateful connections (TCP). The definition method is that any program that calls the libwrap.so library file can be affected by TCP_Wrappers. safely control. Its main function is to control who can access. Common programs include rpcbind, vsftpd, sshd, and telnet.
Judgment method:
查看对应服务命令所在位置
[root@test1 ~]# which sshd
/usr/sbin/sshd
查看指定命令执行时是否调用 libwrap.so 文件
[root@test1 ~]# ldd /usr/sbin/sshd | grep libwrap.so
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fbdd494d000)
How TCP Wrappers work
Take ssh as an example. Whenever an ssh connection request is made, the access control file set by the system administrator is read first. If it meets the requirements, the connection will be transferred to the ssh process intact, and ssh will complete the subsequent work. If the IP initiated by this connection does not meet the settings in the access control file, the connection request will be terminated. Deny the ssh service.
- View the hosts.allow file first to match the access control policy
- Allow individual deny all: hosts.allow file add a single allowed policy, hosts.deny file add all
- Deny and allow all individually: add a single deny policy to the hosts.deny file, and the hosts.allow file is empty
Use of TCP Wrappers
The use of TCP_Wrappers mainly relies on two configuration files /etc/hosts/allow, /etc/hosts/deny; to achieve access control, by default, these two files are not added, so there is no restriction.
Configuration file writing rules:
service_list@host:client_list
-service_list: is a list of services (programs), which can be multiple, separated by ","
-@host: Set which network port to allow or prohibit others from entering, this If one item is not written, it means all
-client_list: is the address of the visitor, if there are many users that need to be controlled, you can use a space or "," to separate
The format is as follows: -Based
on IP address: 192.168.117.130 192.168.117.131
-Based on host name: www.baidu.com www.aliyun.com
-Based on network/mask: 192.168.0.0/255.255.255.0-Built-in
ACL: ALL (all Host), LOCAL (local host)
Experimental case
Prepare two Linux operating system hosts, configure relevant network parameters, and realize normal communication.
| CPU name | IP | root password |
|---|---|---|
| test~1 (client) | 192.168.117.130 | 123 |
| test~2 (server) | 192.168.117.131 | 123 |
1. Reject 192.168.117.130 to remotely connect to this machine using ssh
#test2 添加拒绝策略
[root@test2 ~]# vim /etc/hosts.deny
sshd:192.168.117.130
#test1 ssh 远程连接 test2 失败
[root@test1 ~]# ssh [email protected]
catssh_exchange_identification: read: Connection reset by peer
2. Reject a certain network segment to use ssh to remotely connect to the local
#test2 添加拒绝策略
[root@test2 ~]# vim /etc/hosts.deny
sshd:192.168.117.
#test1 ssh 远程连接 test2 失败
[root@test1 ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer
3. Only 192.168.117.130 is allowed to connect to this machine remotely using ssh
#test2 添加允许策略
[root@test2 ~]# vim /etc/hosts.allow
sshd:192.168.117.130
#test1 ssh 远程连接 test2 成功
[root@test1 ~]# ssh [email protected]
[email protected]'s password:
# test2 root 密码:123
Last login: Mon Oct 12 22:04:30 2020 from 192.168.117.130
[root@test2 ~]#