Shulou(Shulou.com)06/01 Report--

Brief introduction

TCP wrappers, often called wrappers, is written by Wieste Venema and has been around for several years. The idea behind it is simple, and the main idea is to quickly and easily lock down popular clients accessed through TCP on your AIX (UNIX/Linux) host.

Wrappers allows system administrators to control access to TCP-based services or daemons supported by wrappers. Tcpd controls the TCP daemon running from / etc/inetd.conf. However, many TCP-based applications have added wrappers support (typically using the libwrap library), and it doesn't matter to be aware that wrapper; is not controlled through / etc/inetd.conf. Usually telnet, ssh, sendmail, ftp package, pop3, and vsftpd are available for access control under wrappers.

Wrappers provides limited control over UDP-based connections, but I recommend using built-in or third-party firewalls for UDP-based access.

1. First of all, I need to know if the program supports tcp_wrapper. Use the strings command and the ldd command to get hosts_access or libwrap

(1) not all services can be provided by tcp_wrapper

(2) to determine whether a service program can be used by tcp_wrapper

Dynamic compilation:

Ldd command to check whether it is linked to the libwrap library can # ldd `which sshd` | grep libwrap libwrap.so.0 = > / lib64/libwrap.so.0 (0x00007f6788fe8000)

Static compilation:

Strings / path/to/program # which rpcbind / sbin/rpcbind # strings / sbin/rpcbind | grep hosts_access hosts_access

2.tcp_wrapper configuration file syntax format:

Daemon_list: client_list

Daemon_list:

Application name

List of applications: if there are multiple, you can separate them with commas

ALL: matches all processes

Client_list:

IP address: 172.16.100.100

Hostname: www.opensamlee.com

Network address / subnet mask: mask only allows long format, not CIDR format

172.16. Stands for 172.16.0.0amp 255.255.0.0

Tcp_wrapper has several built-in Macro

For client_list: ALL, KNOWN, UNKNOWN, PARANOID

For daemon_list: ALL

EXCEPT: can be used in client or daemon as an exclusion function

[: options]

Use the deny option in the hosts.allow file: define the reject rule in the hosts.allow file

Use the allow option in the hosts.deny file: define release rules in the hosts.deny file

The spawn command invokes:

Echo

% c: user@host

% s: server@host

% h: client hostname

% p: PID of the process on the server

# man 5 hosts_access: get its complete help information

Note: there is no need to quote the information of echo, otherwise, command replacement may not take place.

In.telnetd: ALL: spawn echo `date` login attempt from% c to s > > / var/log/tcp_wrapper.log

3.tcp_wrapper matching mechanism:

1. Check / etc/hosts.allow first, and if allowed, release it directly.

2. If there is no match for / etc/hosts.allow, check / etc/hosts.deny. If rejected, access is prohibited.

3. If there is no match between them, release them.

Tcp_wrapper practical application case:

Native ip: 172.16.100.7

(1) only allow 172.16 network segments to access native telnet services:

(2) only 172.16 network segments are allowed to access native telnet services, but 172.16.100.8 is not allowed.

Install the telnet service:

# yum-y install telnet-server

View the work chain that the telnet program depends on

# ldd `which in.telnetd` linux-vdso.so.1 = > (0x00007fff450c1000) libutil.so.1 = > / lib64/libutil.so.1 (0x00007f8055a31000) libc.so.6 = > / lib64/libc.so.6 (0x00007f805569d000) / lib64/ld-linux-x86-64.so.2 (0x0000003541000000) # ldd `which xinetd`libwrap.so.0 = > / lib64/libwrap.so.0 (0x00007fe109c7e000)

Start the telnet service:

# chkconfig telnet on# service xinetd startStarting xinetd: [OK] # ss-tnl | grep: 23LISTEN 0 64: 23:: *

Define the tcp_wrapper rule file-only release the 172.16 network segment to access the native telnet service:

# vim / etc/hosts.allowin.telnetd: 192.168.0.# vim / etc/hosts.deny in.telnetd: ALL

Define tcp_wrapper rule file-only release 172.16 network segment to access native telnet service, but do not allow 172.16.100.8 access

# vim / etc/hosts.allowin.telnetd: 172.16. EXCEPT 172.16.100.percent vim / etc/hosts.deny in.telnetd: ALL uses 172.16.100.8 host access: # telnet 172.16.100.7Trying 172.16.100.7...Connected to 172.16.100.7.Escape character is'^] '.Connection closed by foreign host.

two。 Native ip:172.16.100.7

(1) sshd only allows access to network segments of 172.16.0.0 and 16:

Method: 1. / etc/hosts.allowsshd: 172.16.2, / etc/hosts.denysshd: ALL

3. Native ip:172.16.100.7

The telnet service does not allow 172.16.0.0amp 16, but allows 172.16.100.200 access; other clients have no control.

Methods 1:1, / etc/hosts.allowin.telnetd: 172.16.100.2002, / etc/hosts.denyin.telnetd: 172.16. Methods 2:/etc/hosts.denyin.telnetd: 172.16. EXCEPT 172.16.100.200 method 3:/etc/hosts.allowin.telnetd: ALL EXCEPT 172.16. EXCEPT 172.16.100.200/etc/hosts.denyin.telnetd: ALL

3. Native ip:172.16.100.7

Use the spawn command call to record user access control record information:

/ etc/hosts.allow record login user log: # # record allows 172.16. Host access record in.telnetd: 172.16. : spawn echo "somebody entered, `date`" > / var/log/tcpwrapper.log## record allows 172.16. The host also excludes the access sshd record of 172.16.100.8 host sshd: 172.16. EXCEPT 172.16.100.8: spawn echo "somebody entered, `date`" > > / var/log/tcpwrapper.log/etc/hosts.denyin.telnetd: ALLsshd: ALL

4. Native ip:172.16.100.7

(1) allow only hosts in the 172.16.0.0plus 16 network to access vsftpd;, but not 172.16.200.8

Methods: / etc/hosts.allowvsftpd: 172.16. EXCEPT 172.16.200.8/etc/hosts.denyvsftpd: ALL

5. Native ip:172.16.100.7

(1) allow only hosts in the 172.16.0.0plus 16 network to access rsync;, but not 172.16.56.8

Methods: / etc/hosts.allowrsync: 172.16. EXCEPT 172.16.200.8/etc/hosts.denyrsync: ALL

6. Use tcp_wrapper to control the vsftp service to allow access only to hosts in the 172.16.0.0 network, but to deny 172.16.200. For all hosts in the, use logging for all denied access attempts:

Methods: / etc/hosts.allowvsftpd: 172.16. / etc/hosts.denyvsftpd: 172.16.200. Spawn echo `date`login attempt from c to s > / var/log/tcp_wrapper_vsftpd.log

The above tcp_wrappers application explains all the contents in detail.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.