TCP Wrappers object of protection mechanisms for a variety of network services programs, access control for access to the service client addresses. Two corresponding policy files /etc/hosts.allow and /etc/hosts.deny , respectively, to set the allow and deny policy.
Instead the role of two policy documents, but the configuration of the same recording format:
<Service program list>: <Client Address List>
between the service program and the list of client addresses colon-separated list, separated by commas between the plurality of entries in each list.
1, the service program list:
- ALL: representatives of all services.
- Single service program: such as "dhcpd"
- List consisting of multiple service programs: such as "named, sshd".
2, the client address lists:
- ALL: on behalf of any client address.
- LOCAL: representatives of local address.
- Single IP address: such as "192.168.1.1"
- Network segment address: such as "192.168.1.0/255.255.255.0"
About mechanism of TCP Wrappers access policy as follows: First check the /etc/hosts.allow file, if the policy match is found, access is allowed; otherwise I keep looking /etc/hosts.deny file, if the policy match is found, the refusal access, if these two files are no policy match is found, access is permitted, this touches and ACL policies on different network devices.
For chestnut:
Now the only hope for the IP address or host 61.63.65.67 host 192.168.2.0/24 network segment located sshd access services, other address is denied, you can do the following:
[root@localhost ~]# vim /etc/hosts.allow
sshd:61.63.65.67,192.168.2.
[root@localhost ~]# vim /etc/hosts.deny
sshd:ALL