Bowen directory
a, TCP Wrappers overview of
two, TCP Wrappers access policy
1, policy configuration format of
the basic principles 2, access control
3, TCP Wrappers configuration examples
A, TCP Wrappers Overview
To access TCP Wrappers The TCP service program "wrap up", took the port listening TCP service program, adds a safety testing process, external connection request must pass through this layer of safety testing, licensed after the true service program, as shown below as shown, TCP Wrappers can also record all attempts to access a protected service behavior, safety analysis provides a wealth of information for the administrator.
Two, TCP Wrappers access policy
TCP Wrappers object of protection mechanisms for a variety of network services programs, access control for access to the service client addresses. Two corresponding policy files /etc/hosts.allow and /etc/hosts.deny, respectively, to set the allow and deny policy.
1, policy configuration format
The opposite action of the two policy file, but the same configuration record format, as follows:
<service program list>: <Client Address List>Service list of programs, between the client list of addresses separated by colons, separated by a comma between multiple entries in each list.
1) Service Programs list
- ALL: on behalf of all the services;
- Single service program: such as "vsftpd";
- List consisting of multiple service programs: such as "vsftpd.sshd";
2) Client Address List
- ALL: on behalf of any client address;
- LOCAL: behalf of the local address;
- Single IP Address: The "192.1668.10.1";
- Network address: such as "192.168.10.0/255.255.255.0";
- . "" Domain to begin: such as "benet.com" benet.com match all hosts in the domain;
- To end the network address: The "192.168.10." Matches the entire 192.168.10.0/24 network segment; "."
- Embed wildcard " " "?": The former represents the character of any length, which represents only a character, such as "192.168.10.1 " matches all IP addresses that begin with the 192.168.10.1. . "" Not to start or end with the model mix;
- A plurality of client address list consisting of: The "192.168.1, 172.16.16, .benet.com..";
2, the basic principles of access control
About mechanism of TCP Wrappers access policy, when applied in the following order and follow the principles: First check the /etc/hosts.allow file, if the policy match is found, access is allowed; otherwise, continue to check /etc/hosts.deny file, if found strategy to match, access is denied; if the file can not be found checking the above two strategies that match, access is granted.
3, TCP Wrappers configuration example
When TCP Wrappers mechanism actually used, the more relaxed policy can be "Allow all, reject individual", the more restrictive policy is "to allow individual, deny all." The former need only add the appropriate rejection strategies hosts.deny file on it; the latter in addition to adding host.allow policy allows the addition, the need to set up hosts.deny file "ALL: ALL" deny policy .
Examples are as follows:
only hope for the IP address of a host or in a host 192.168.10.1 172.16.16 sshd network access services, other address rejected, can perform the following operations:
[root@centos01 ~]# vim /etc/hosts.allow
sshd:192.168.10.1 172.16.16.*
[root@centos01 ~]# vim /etc/hosts.deny
sshd:ALL------ This concludes the article, thanks for reading ------