Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use TCP wrapper to enhance network service security under Linux. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Before we begin, we must make it clear that the TCP wrapper does not eliminate the need to properly configure the firewall.

At this point, you can think of this tool as a host-based access control list, and not as a security measure for your system. By using a firewall and TCP wrapper, rather than preferring only one of them, you will ensure that your service does not have a single point of failure.

Correct understanding of hosts.allow and hosts.deny files

When a network request arrives at your host, the TCP wrapper uses hosts.allow and hosts.deny (in this order) to determine whether the client should be allowed to use a provided service. .

By default, the contents of these files are empty, commented out, or do not exist at all. So, any request is allowed to pass through the TCP filter and your system is placed to rely on firewalls to provide all protection. Because that's not what we want. For the reasons we introduced at the beginning, please make sure that the following two files exist:

# ls-l / etc/hosts.allow / etc/hosts.deny

The writing syntax rules for the two files are the same:

: [:...]

In the file

1. Services refers to the service corresponding to the current rule, which is a comma-separated list.

2. Clients refers to the hostname or IP address affected by the rule, separated by commas. The following wildcards are also acceptable:

1). ALL stands for everything, applied to clients and services.

2). LOCAL means to match a machine that does not have a fully qualified host name (FQDN) in the official domain name, such as localhost.

3) .KNOWN means that the host name, host address, or the user is known (that is, it can be resolved through DNS or other services).

4) UNKNOWN is opposite to KNOWN.

5) .PARANOID if a reverse DNS lookup returns a different address from each other, then the connection will be disconnected (first resolving the hostname according to the IP, and then obtaining the IP address based on the hostname).

3. *, a colon-separated list of actions that indicates what action will be taken when a rule is triggered.

You should keep in mind that the rules in the / etc/hosts.allow file that allow access to a service take precedence over the rules in / etc/hosts.deny. In addition, if two rules are applied to the same service, only * rules will be taken into consideration.

Unfortunately, not all network services support TCP filters, and to see if a given service supports them, execute the following command:

# ldd / path/to/binary | grep libwrap

If the above command gets the following results after execution, then it can support TCP filters, sshd, and vsftpd as examples, and the output is as follows.

Find services supported by TCP filters

How to use TCP filters to restrict the permissions of a service

When you edit / etc/hosts.allow and / etc/hosts.deny, make sure you add a new line after a non-blank line with the enter key.

To make the SSH and FTP services allow only localhost and 192.168.0.102 and deny all other users, add the following to / etc/hosts.deny:

Sshd,vsftpd: ALL ALL: ALL

And add the following to the / etc/hosts.allow file:

Sshd,vsftpd: 192.168.0.102,LOCAL

These changes take effect immediately and do not require a reboot.

In the following figure, you can see that when LOCAL is deleted in the * * line, the FTP server will not be available for localhost. After we added wildcards, the service became available again.

Confirm FTP permissions

To allow all services to be available with example.com in the hostname, add the following line to the hosts.allow:

ALL: .example.com

In order to prevent the machine from 10.0.1.0 Compact 24 from accessing the vsftpd service, add the following line to the hosts.deny file:

Vsftpd: 10.0.1.

In the two examples of * *, notice the dot at the beginning and end of each line in the client list. This is used to mean "all hosts or clients whose name or IP contains that string"

This is the end of the article on "how to use TCP wrapper under Linux to enhance network service security". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.