Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure TCP Wrappers access control". In daily operation, I believe many people have doubts about how to configure TCP Wrappers access control. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to configure TCP Wrappers access control". Next, please follow the editor to study!

Tcp wrappers is a security tool that works at the transport layer, which can detect the security of specific services with stateful connections and implement access control. Tcpwrappers "packages" other tcp service programs and adds a security inspection process. External connection requests must first pass this layer of security detection and obtain permission before they can access the real service program.

Access Policy of TCP Wrappers

The protection object of TCP Wrappers mechanism is a variety of network service programs, and access control is carried out according to the client address of the access service. The corresponding policy files are / etc/hosts.allow and / etc/hosts.deny, which are used to set the allow and deny policies, respectively.

1. Configuration format of policy

❝

The two policy files do the opposite, but the configuration records are in the same format, as follows:

The list of service programs and the list of client addresses are separated by colons, and multiple items in each list are separated by commas.

1) list of service programs

ALL: represents all services; a single service program: such as "vsftpd"; a list of multiple service programs: such as "vsftpd.sshd"

2) client address list

ALL: represents any client address; LOCAL: represents the local address; a single IP address: such as "192.1668.10.1"; network segment address: such as "192.168.10. Starting domain name: for example, "benet.com" matches all hosts in the benet.com domain; with "." Ending network address: such as "192.168.10." Match the entire 192.168.10.Universe 24 segment; embed the wildcard ""? " The former represents a character of any length, while the latter represents only one character, such as "192.168.10.1" matches all IP addresses starting with 192.168.10.1. It can not be compared with "." Mode mixing of start or end; a list of multiple client addresses, such as "192.168.1., 172.16.16., .benet.com"

2. Basic principles of access control

With regard to the access policy of the TCP Wrappers mechanism, the application follows the following order and principles: first check the / etc/hosts.allow file, and if a matching policy is found, access is allowed; otherwise, continue to check the / etc/hosts.deny file, and if a matching policy is found, access is denied; if the above two files cannot find a matching policy, access is allowed.

3. TCP Wrappers configuration instance

When actually using the TCP Wrappers mechanism, the looser policy can be "allow all, reject the individual", and the stricter policy is "allow the individual, reject all". The former only needs to add the corresponding deny policy to the hosts.deny file, while the latter needs to set the deny policy of "ALL:ALL" in the hosts.deny file in addition to adding the allow policy in the host.allow.

The example is as follows: now you only want to access the sshd service from the host with IP address 192.168.10.1 or from the host on the 172.16.16 network segment, and if other addresses are rejected, you can do the following:

[root@CentOS01 ~] # vim / etc/hosts.allowsshd:192.168.10.1 172.16.16.* [root@centos01 ~] # vim / etc/hosts.denysshd:ALL at this point, the study on "how to configure TCP Wrappers access control" is over. I hope you can solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.