Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use TCP wrapper in Linux to enhance the security of network services. I hope you will gain something after reading this article. Let's discuss it together.

We will talk about what the TCP wrapper TCP wrappers is and how to configure them on a Linux server to restrict the permissions of network services. Before we begin, we must make it clear that the TCP wrapper does not eliminate the need to properly configure the firewall.

Correct understanding of hosts.allow and hosts.deny files

When a network request arrives at your host, the TCP wrapper uses hosts.allow and hosts.deny (in this order) to determine whether the client should be allowed to use a provided service. .

By default, the contents of these files are empty, commented out, or do not exist at all. So, any request is allowed to pass through the TCP filter and your system is placed to rely on firewalls to provide all protection. Because that's not what we want. For the reasons we introduced at the beginning, please make sure that the following two files exist:

# ls-l / etc/hosts.allow / etc/hosts.deny

The writing syntax rules for the two files are the same:

: [:...]

In the file

Services refers to the service corresponding to the current rule and is a comma-separated list.

Clients

Refers to the hostname or IP address affected by the rule, separated by commas. The following wildcards are also acceptable:

ALL stands for everything, applied to clients and services. LOCAL means to match a machine that does not have a fully qualified host name (FQDN) in the official domain name, such as localhost. KNOWN indicates that the host name, host address, or user is known (that is, it can be resolved through DNS or other services). UNKNOWN is the opposite of KNOWN. If PARANOID does a reverse DNS lookup and returns different addresses from each other, the connection will be disconnected (first parsing the hostname according to IP, and then obtaining the IP address based on the hostname).

Finally, a colon-separated list of actions indicates what action will be taken when a rule is triggered.

You should keep in mind that the rules in the / etc/hosts.allow file that allow access to a service take precedence over the rules in / etc/hosts.deny. In addition, if two rules are applied to the same service, only the first rule will be considered.

Unfortunately, not all network services support TCP filters, and to see if a given service supports them, execute the following command:

# ldd / path/to/binary | grep libwrap

If the above command gets the following results after execution, then it can support TCP filters, sshd, and vsftpd as examples, and the output is as follows.

Find services supported by TCP filters

How to use TCP filters to restrict the permissions of a service

When you edit / etc/hosts.allow and / etc/hosts.deny, make sure you add a new line with the enter key after the last non-blank line.

To make the SSH and FTP services allow only localhost and 192.168.0.102 and deny all other users, add the following to / etc/hosts.deny:

Sshd,vsftpd: ALLALL: ALL

And add the following to the / etc/hosts.allow file:

Sshd,vsftpd: 192.168.0.102,LOCAL

These changes take effect immediately and do not require a reboot.

In the following figure, you can see that when LOCAL is deleted in the last line, the FTP server is not available for localhost. After we added wildcards, the service became available again.

Confirm FTP permissions

To allow all services to be available with example.com in the hostname, add the following line to the hosts.allow:

ALL: .example.com

In order to prevent the machine from 10.0.1.0 Compact 24 from accessing the vsftpd service, add the following line to the hosts.deny file:

Vsftpd: 10.0.1.

In the last two examples, notice the points at the beginning and end of each line in the client list. This is used to mean "all hosts or clients whose name or IP contains that string"

After reading this article, I believe you have a certain understanding of "how to use TCP wrapper to enhance network service security in Linux". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.