Shulou(Shulou.com)06/01 Report--

The editor today takes you to understand how to configure TCP Wrappers in the Linux system. The knowledge points in the article are introduced in great detail. Friends who feel helpful can follow the editor to browse the content of the article, hoping to help more friends who want to solve this problem to find the answer to the problem. Let's follow the editor to learn more about "how to configure TCP Wrappers in the Linux system".

TCP Wrappers is a security mechanism in Linux system, which can restrict the access to a service and protect the system safely.

Introduction to TCP Wrappers:

TCP_Wrappers is a security tool that works at layer 4 (transport layer), which securely detects and implements access control for specific services with stateful connections.

Any program that contains libwrap.so library files can be subject to the security control of TCP_Wrappers.

Its main function is to control who can access, the common programs are rpcbind, vsftpd, sshd,telnet.

1.TCP Wrappers "packages" the TCP service program to monitor the port of the TCP service program, adding a security detection process. External connection requests must first pass this layer of security detection and obtain permission before they can access the real service program. TCP wrappers is the default feature for most Linux distributions. Rpm-Q tcp_wrappers

Two implementation methods of 2.TCP wrapper protection mechanism 1. Directly use the tcpd program to protect other service programs, you need to run the tcpd program.

two。 Libwrap.so.* link libraries are called by other network service programs, and there is no need to run tcpd programs. This method is more widely used and more efficient.

3. Use the ldd command to view the access policy of the program's libwrap.so.* link library ldd $(which ssh vsftpd) 14.TCP wrappers. The TCP wrappers mechanism protects various network service programs and carries out access control on the client address of the access service.

The corresponding two policy files are / etc/hosts.allow and / etc/hosts. Deny, which is used to set the allow and deny policies, respectively.

ALL: list of service programs: represents all services. Single service program: such as "vsftpd". A list of multiple service programs, such as "vsftpd,sshd".

(2) client address list ALL: represents any client address. LOCAL: represents the local address. Multiple addresses separated by commas allow the use of wildcards "?" And "*"*" represent characters of any length "?" Represents only one character network segment address, such as 192.168.163. Or 192.168.163.0 bdqn.com 255.255.255.0 area address, such as ".benet.com" matches all hosts in the domain.

The basic principle of the 5.TCP Wrappers mechanism is to first check the / etc/hosts.allow file and allow access if a matching policy is found; otherwise, continue to check the / etc/hosts.deny file and deny access if a matching policy is found; if the two files are checked and no matching policy is found, access is allowed.

"allow all, deny individual" simply add the appropriate rejection policy in the / etc/hosts.deny file

"allow individual, deny all" in addition to adding an allow policy in / etc/hosts.allow, you also need to set a rejection policy for "ALL:ALL" in the / etc/hosts.deny file.

If the example only wants to access the sshd service from a host with an IP address of 12.0.0.1 or a host located in the 192.168.80.0 Universe 24 network segment, other addresses are denied.

Vi / etc/hosts.allow sshd:12.0.0.1192.168.80.* vi / etc/hosts.deny sshd:ALL Thank you for your reading. This is all about "how to configure TCP Wrappers in the Linux system". Friends who have learned to learn to do it quickly. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.