Linux restrict IP - / etc / hosts.allow and /etc/hosts.deny documents [turn]

It's just like

• Restrict certain IP visit

idea

• Looks usual practice is to use hosts refused to set up, and its setting is a specific process for a specific service, here is the sshd
• It looks to set up a network using

x.x.x.0/24

Later add 24 really interesting is the possibility of keeping it all

• The above method appears to be sub-match approach
• If simpler looks can go directly to retain a portion of the front

131.155. Matches any stuff followed stuff, such as 131.155.1.1

• In addition to being sshd restrictions, it looks to limit all the stuff it, this is like a little more special hosts, but hosts only resolve the domain name only

experience

• Take effect immediately occur, but is not valid for shell has been opened, so keep the shell side of the set, while re-open shell
• Its syntax is very interesting, the last part may seem to be can not

192.168.0.0/255.255.255.0:deny

• In each one, the [,] is divided a plurality of IP, and [:] is split its processing
• Oh hell [255.255.255.0] it appears to refer to the local area network
• Looks can be all lowercase size
• It works in real time, after the entry into force of the modification

Obsession

• allow and deny priority is how are we doing

A valid IP segment work

• This seems to work

[root@li576-236 ~]# cat /etc/hosts.allow 
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #   # for the shell sshd:11.8.,12.1.,18.3.:allow

interesting

• This looks .0 ip does not exist, it appears to be virtual

192.168.1.0

First attempt

Limit sshd

hosts.deny

• Direct access to edit

vim /etc/hosts.deny

• Join this stuff and reject all

# no sshd
sshd : ALL

hosts.allow

• Enter edit

vim /etc/hosts.allow

• Try a 0.0 paragraph - sorry can not login! Hidden

# For the shell - it is nothing to do 
sshd: 101.11.0.0 / 24-

• If all the IP match it? It can log, which shows it to work

# For the shell - it can accurately allow this ip, 24 play a role in the 
sshd: 101.11.10.1 / 24-

• Then later have to remove it? - it worked!

# For the shell - it allows the ip section! Oh wow 
sshd: 101.11.

Other cases

• Note here that there is a case of strange! - if the last part is omitted, you must completely clear the space! As part of the space will be a regular match
• On this basis, plus a 24 stuff it? -It does not work

# For the shell - it can not allow this ip segment, failed 
sshd: . 101.11 / 24-

• What's behind the increase label it? - it also works

# For the shell - looks out of the way behind the label 
sshd: 101.11 .: the allow

• If any of the labels it? - No, it quit

# For the shell - it is now done nothing, deny ip - and there may be a regular problem 
sshd: 101.11: the Hello.

• If the fix back to the middle of allow it? - did not nor

# For the shell - still the what is not dry - there may be a regular problem 
sshd: 101.11.:allow: the Hello

• Comma, multiple ip of it? The second one did not work, probably less. Reason

# For the shell - a comma, the workers only worked the first, may be less a second point - worth another try 
sshd: 101.11,. 103.22: the allow: the Hello

• Bring a comma, then each with the last point, it worked!

# For the shell - a comma, all the work! Must last a little, and it looks like a space and do not rely on (the best) 
sshd: . 101.11, 103.22.:allow

idea

• There are windows in this document it looks

Audio idea

---

• sshd restriction does not look complicated, it is by a host of restrictions such as file command (command?) in such a setting, a large part of it is done, and then you can it be Dear John (refuse to talk) setting, and with this interesting is that this set can also be used in pptp service because it looks like it is a limitation of hosts end stuff (the underlying network service system?)

-> .... hosts.allow target ..mac looks or keep it ... win also bend with it ..? (C: / windows / driver / etc / hosts?)

experience

/etc/hosts.allow and /etc/hosts.deny files under linux _ old tour love you _ Baidu space ^{along the experience [1]}

/etc/hosts.allow and /etc/hosts.deny files under Linux
/etc/hosts.allow and /etc/hosts.deny these two files are tcpd server configuration file, the server may control the external tcpd IP service of the machine Access. The format of these two profiles:

1. Service Process Name: Host List: When a rule matches the optional command operations server_name: hosts-list [: command]

/etc/hosts.allow control may access the IP address of the machine, / etc / hosts.deny control prohibiting access to the machine IP. If the configuration file has two conflict, the /etc/hosts.deny prevail. Here is an example of a /etc/hosts.allow:
ALL: 127.0.0.1 # allow the machine to access the machine all service processes smbd: 192.168.0.0/255.255.255.0 # 192.168.0 segment of the IP access allows smbd service.
ALL keyword matching all cases, eXCEPT match except for certain items of circumstances, PARANOID match situation when you want to control its IP address and domain name does not match (domain name disguised) of.
Today, you can disable malicious ip address log in to the server. Because remote access needs sshd process, so:
amend as follows:
1: Modify the "/etc/hosts.allow" file, add a line at the bottom:
sshd: 192.168.100.0/255.255.255.0 # allow all machines on the LAN to access the server the sshd process
sshd: 60.28.160.244 # allow external network access sshd process of 60.28.160.244 on the server this
2: modify the "/etc/hosts.deny" file, add the last line:
sshd: All # ban on all
Notes: ): before the amendment, please revise "/etc/hosts.allow" file, and do not quit immediately after the modification is completed, the landing test should be done
          2): After the file changes, effective immediately, but the program has been running for no effect.

 

Bird Brother Linux private kitchens - Do not remove the service ^{along the way knowledge [2]}

Look at whether tcp_wrappers kit:

To connect the computer's settings to start to use the /etc/hosts.allow and /etc/hosts.deny file, then it needs a software "tcp_wrappers" to look inside your Linux host is it has a set of software, please use:
 
rpm -q tcp_wrappers or -qa rpm | grep tcp

If you have this software, it will naturally be displayed, if not, please put your Linux optical disc, the rpm file put something right!
 

Setting allows the computer to sign (/etc/hosts.allow):

is actually very simple, just modify /etc/hosts.allow (If you do not have this file, please use a vi editor) that this file can, for example, my home computer in my internal domain (LAN) is 192.168.1.0/255.255.255.0, this domain on behalf of computer IP is 192.168.1.1 - between 192.168.1.255! So, I will /etc/hosts.allow contents of this file is set to become so:
 
in.telnetd: 192.168.1.0/255.255.255.0, .ncku.edu.tw: the Allow

reason is because of the added .ncku.edu.tw I am in National Cheng Kung University, so adding this line, you can make me into a Linux host in Dalian on my family.
 

Set the computer not allowed to sign (/etc/hosts.deny):

After due under normal circumstances, Linux will first determine the hosts.allow file, this file if your computer is set to be wired, then hosts.deny will not be used, therefore, set up a hosts.allow, the /etc/hosts.deny is set as the "All computers are not allowed to log in", as follows:
 
in.telnetd: ALL: Deny

as a result, there is a basic protection measures (without re-boot automatically executed!) .

 

hosts.allow - Linux Command - Unix Command ^{along the way knowledge [3]}

PATTERNS

The access control language implements the following patterns:

• A string that begins with a `.' character. A host name is matched if the last components of its name match the specified pattern. For example, the pattern `.tue.nl' matches the host name `wzv.win.tue.nl'.
• A string that ends with a `.' character. A host address is matched if its first numeric fields match the given string. For example, the pattern `131.155.' matches the address of (almost) every host on the Eindhoven University network (131.155.x.x).
• A string that begins with an `@' character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.
• An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a `net/mask' pair. An IPv4 host address is matched if `net' is equal to the bitwise AND of the address and the `mask'. For example, the net/mask pattern `131.155.72.0/255.255.254.0' matches every address in the range `131.155.72.0' through `131.155.73.255'.

SSH restrictions ip landing - Mr. Kang - 51CTO technology blog ^{along the way knowledge [4]}

In /etc/hosts.allow input  
  (where 192.168.10.88 is that you want to allow the landing of ssh ip, or a network segment 192.168.10.0/24)  
  sshd: 192.168.10.88: the allow  
   
  in /etc/hosts.deny input (expressed in addition to the above permitted, other ip refused landing SSH)  
  sshd: aLL
This article will talk about some some security measures can enhance Unix, Linx server SSH access.
Personally, I very strongly recommend measures are:
1. limiting SSH access, sshd will bind to a ip address, and allow all ip addresses are completely different security.
2. sshd default port 22 to another port.
Proceed as follows:
premise:
SSH client - I recommend using putty (search google, you'll find it quickly)
SSH service is installed
first step: Log on to the server as root SSH.
Step two: the command prompt input: pico -w / etc / ssh / sshd_config
third step: page down, like regions found in this document:

1. Port 22
2. Protocol 2, 1
3. ListenAddress 0.0.0.0
4. ListenAddress ::

Step four: uncommented # symbol, and modify the
port #Port 22
modify it like this
Port 5678
(select 4-5 you are not using the digital composed port (49151 is the highest number of ports))
protocol #Protocol 2, 1
read this:
Protocol 2
listen address #ListenAddress 0.0.0.0
read this:
ListenAddress 125.121.123.15 (address here to access the server instead of your own common client ip address)
the fifth step directly log in as root if you want to disable, scroll down to see you know

1. PermitRootLogin yes

Remove the front comment symbol #, modify
PermitRootLogin no
holding down the Ctrl key to save the changes, press Ctrl + x exit key combination.
The sixth step at a command prompt, enter: /etc/rc.d/init.d/sshd restart
seventh step to exit the SSH, you must log on later to use the new port numbers (eg: 49151), and the server only allows restrictions from a specific
IP address (such as: 125.121.123.15) SSH logged.
Note:
If the modification can not log or other problems arise, you only need to connect the monitor to your server or Telnet server, modify the settings, and then re-SSH login. Telnet is a very insecure protocol, so after you use it is best to modify your root password.
(the end)
 
or
linux ssh access restriction IP
 
in /etc/hosts.allow input  
(where 192.168.10.88 is that you want to allow the landing of ssh ip, or a network segment 192.168.10.0/24)  
sshd: 192.168.10.88: the allow  
   
in /etc/hosts.deny input (represented except as permitted in other ip refused landing SSH)  
sshd: aLL
 
to change the port
vi / etc / SSH / sshd_config
port 3333

last line with ip
allowusers root @ ip ------------------ allow certain ip what account login

Transfer from

Linux restrict IP - / etc / hosts.allow and /etc/hosts.deny files - life and death bearish, refused to accept it dry! - CSDN blog https://blog.csdn.net/u013634961/article/details/39855543