Shulou(Shulou.com)06/01 Report--

In this article, the editor introduces in detail "how to configure TCP Wrappers access control in CentOS". The content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to configure TCP Wrappers access control in CentOS" can help you solve your doubts.

1. TCP Wrappers Overview TCP Wrappers is a security tool that works in the transport layer, which can perform security detection on specific services connected to stateful connections to achieve access control, and access the real service program only after obtaining permission. As shown in the following figure, TCP Wrappers can also record all attempts to access protected services, providing administrators with a wealth of security analysis data.

Second, the access policy of TCP Wrappers the protection object of TCP Wrappers mechanism is all kinds of network service programs, and access control is carried out according to the client address of access service. The corresponding policy files are / etc/hosts.allow and / etc/hosts.deny, which are used to set the allow and deny policies, respectively.

1. Policy configuration format the two policy files have the opposite effect, but the configuration records have the same format, as shown below:

The list of service programs and the list of client addresses are separated by colons, and multiple items in each list are separated by commas.

1) list of service programs ALL: represents all services

Single service program: such as "vsftpd"

A list of multiple service programs, such as "vsftpd.sshd"

2) client address list ALL: represents any client address

LOCAL: represents the local address

Single IP address: such as "192.1668.10.1"

Address of network segment: for example, "192.168.10.Universe 255.255.255.0"

With "." Starting domain name: for example, "benet.com" matches all hosts in the benet.com domain

With "." Ending network address: such as "192.168.10." Match the entire 192.168.10.0 amp 24 network segment

Embed the wildcard character "?" The former represents a character of any length, while the latter represents only one character, such as "192.168.10.1" matches all IP addresses starting with 192.168.10.1. It can not be compared with "." Mixed mode of start or end

A list of multiple client addresses, such as "192.168.1., 172.16.16., .benet.com"

2. Basic principles of access control the access policies of the TCP Wrappers mechanism are applied in the following order and principles: first, check the / etc/hosts.allow file, and if a matching policy is found, access is allowed; otherwise, continue to check the / etc/hosts.deny file, and if a matching policy is found, access is denied; if the above two files can not find a matching policy, access is allowed.

3. When the TCP Wrappers configuration instance actually uses the TCP Wrappers mechanism, the looser policy can be "allow all, reject the individual", and the stricter policy is "allow the individual, reject all". The former only needs to add the corresponding deny policy to the hosts.deny file, while the latter needs to set the deny policy of "ALL:ALL" in the hosts.deny file in addition to adding the allow policy in the host.allow.

The example is as follows: now you only want to access the sshd service from the host with IP address 192.168.10.1 or from the host on the 172.16.16 network segment, and if other addresses are rejected, you can do the following:

[root@centos01 ~] # vim / etc/hosts.allow sshd:192.168.10.1 172.16.16.* [root@centos01 ~] # vim / etc/hosts.deny sshd:ALL read here, this article "how to configure TCP Wrappers access control in CentOS" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it before you can understand it. If you want to know more about related articles, Welcome to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.