Shulou(Shulou.com)06/02 Report--

Blog catalogue

I. Overview of TCP Wrappers

Second, the access policy of TCP Wrappers

1. Configuration format of policy

2. Basic principles of access control

3. TCP Wrappers configuration instance

I. Overview of TCP Wrappers

TCP Wrappers "packages" the TCP service program to monitor the port of the TCP service program, adding a security detection process. External connection requests must first pass this layer of security detection and obtain permission before they can access the real service program. As shown in the following figure, TCP Wrappers can also record all attempts to access protected services, providing administrators with rich security analysis materials.

Second, the access policy of TCP Wrappers

The protection object of TCP Wrappers mechanism is a variety of network service programs, and access control is carried out according to the client address of the access service. The corresponding policy files are / etc/hosts.allow and / etc/hosts.deny, which are used to set the allow and deny policies, respectively.

1. Configuration format of policy

The two policy files do the opposite, but the configuration records are in the same format, as follows:

:

The list of service programs and the list of client addresses are separated by colons, and multiple items in each list are separated by commas.

1) list of service programs ALL: represents all services; single service program: such as "vsftpd"; list of multiple service programs: such as "vsftpd.sshd"; 2) client address list ALL: represents any client address; LOCAL: represents local address; single IP address: such as "192.168.10.1"; network segment address: such as "192.168.10.0and255.255.255.0"; to "." Starting domain name: for example, "benet.com" matches all hosts in the benet.com domain; with "." Ending network address: such as "192.168.10." Match the entire 192.168.10.Universe 24 segment; embed the wildcard ""? " The former represents a character of any length, while the latter represents only one character, such as "192.168.10.1" matches all IP addresses starting with 192.168.10.1. It can not be compared with "." Start or end mode mixing; a list of multiple client addresses, such as "192.168.1., 172.16.16., .benet.com"; 2. Basic principles of access control

With regard to the access policy of the TCP Wrappers mechanism, the application follows the following order and principles: first check the / etc/hosts.allow file, and if a matching policy is found, access is allowed; otherwise, continue to check the / etc/hosts.deny file, and if a matching policy is found, access is denied; if the above two files cannot find a matching policy, access is allowed.

3. TCP Wrappers configuration instance

When actually using the TCP Wrappers mechanism, the looser policy can be "allow all, reject the individual", and the stricter policy is "allow the individual, reject all". The former only needs to add the corresponding deny policy to the hosts.deny file, while the latter needs to set the deny policy of "ALL:ALL" in the hosts.deny file in addition to adding the allow policy in the host.allow.

Examples are as follows:

Now you only want to access the sshd service from the host with the IP address 192.168.10.1 or from the host on the 172.16.16 network segment. If other addresses are denied, you can do the following:

[root@centos01 ~] # vim / etc/hosts.allow sshd:192.168.10.1 172.16.16.* [root@centos01 ~] # vim / etc/hosts.deny sshd:ALL

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.