In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article focuses on "how Linux prohibits access to specific ip addresses". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how Linux forbids access to specific ip addresses.
I. Overview
These two files are the configuration files for the tcpd server, which can control the access of the external IP to the native service. The format of these two configuration files is as follows:
# Service process name: host list: optional command actions when rules match
Server_name:hosts-list [: command]
/ etc/hosts.allow control can access the local IP address, / etc/hosts.deny control forbids access to the local IP. If there is a conflict in the configuration of the two files, / etc/hosts.deny shall prevail.
The / etc/hosts.allow and / etc/hosts.deny files control the remote access settings, through which customers in a certain ip or ip segment can be allowed or denied access to a service of linux.
For example, for SSH services, we are usually only open to administrators, so we can disable unnecessary IP and open only IP segments that may be used by administrators.
II. Configuration
1. Modify / etc/hosts.allow file
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the'/ usr/sbin/tcpd' server.
#
Sshd:210.13.218.*:allow
Sshd:222.77.15.*:allow
All:218.24.129.110 # means to accept all requests from ip 110!
In.telnetd:140.116.44.0/255.255.255.0
In.telnetd:140.116.79.0/255.255.255.0
In.telnetd:140.116.141.99
In.telnetd:LOCAL
Smbd:192.168.0.0/255.255.255.0 # allows 192.168.0. IP of network segment accesses smbd service
# sendmail:192.168.1.0/255.255.255.0
# pop3d:192.168.1.0/255.255.255.0
# swat:192.168.1.0/255.255.255.0
Pptpd:all EXCEPT 192.168.0.0/255.255.255.0
Httpd:all
Vsftpd:all
The above words mean that the two ip segments 210and 222are allowed to connect to the sshd service (which inevitably requires the use of the hosts.deny file), of course: allow can be omitted.
The ALL keyword matches everything, the EXCEPT matches except some items, and the PARANOID matches when the IP address you want to control does not match its domain name (domain name masquerade).
2. Modify / etc/hosts.deny file
#
# hosts.deny This file describes the names of the hosts which are
# * not* allowed to use the local INET services, as decided
# by the'/ usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
Sshd:all:deny
In.telnet:ALL
ALL:ALL EXCEPT 192.168.0.1/255.255.255.0192.168.1.21
202.10.5.0/255.255.255.0
Note: sshd:all:deny denies all sshd remote connections. Deny can be omitted.
Previous page 123 the next page consists of 3 pages
3. Start the service
Note that after the modification:
# service xinetd restart
In order for the change to take effect.
Requirements: need to use hosts.deny to restrict users from logging in through ssh
Add in / etc/hosts.deny
Sshd: all
Add in / etc/hosts.allow
Sshd:all # rejects all ip linked ssh services
Try to link to the server on another server, only to find that it is still a normal link
Continue to look for problems, and learn from the Internet that / etc/hosts.allow and / etc/hosts.deny only work for those who have called tcp_wrappers. If the source code is compiled, see if you are looking for libwrap.so at compile time
Under the effect machine, execute the following command:
[root@zt ~] # ldd / usr/sbin/sshd | grep libwrap.so
Libwrap.so.0 = "/ lib64/libwrap.so.0 (0x00002ba28edcc000)
Libwrap.so cannot be found under the machine that does not work.
Execute on the effective machine:
The results of rpm-qf / lib64/libwrap.so.0 are as follows:
Tcp_wrappers-7.6-40.7.el5
On machines that don't work.
Yum install-y tcp_wrappers
After installation, use ldd / usr/sbin/sshd | grep libwrap.so still has no content
On the machine that does not work, continue
Yum list | grep openssh result:
Openssh.x86_64 5.3p2-24.el5 installed
Openssh-clients.x86_64 5.3p2-24.el5 installed
Openssh-server.x86_64 5.3p2-24.el5 installed
Openssh.x86_64 5.3p2-41.el5_5.1 updates
Openssh-askpass.x86_64 5.3p2-41.el5_5.1 updates
Openssh-clients.x86_64 5.3p2-41.el5_5.1 updates
Openssh-server.x86_64 5.3p2-41.el5_5.1 updates
Therefore, execute:
Yum update-y openssh
Execute again:
Ldd / usr/sbin/sshd | grep libwrap.so
The results show.
Other servers that link to this server will also report the following error
Ssh_exchange_identification: Connection closed by remote host
The other is iptalbes, which is commonly used to restrict IP access to the website.
Only one specified IP access server is allowed
Vi / etc/sysconfig/iptables
* filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
-An INPUT-s 165.232.121.17-j ACCEPT
-An INPUT-j DROP
COMMIT
If your previous firewall is permanently turned off, you need to release it.
Chkconfig-- list looks at the startup service and finds the name of the service to shut down
Chkconfig-- level 235Service name off [boot service at levels 3 and 5]
The running level of the system is 0mai 6, which is in / etc/inittab.
Level 0 indicates that the computer is turned off
Level 1 means: single user mode
Level 2 means: multi-user command line mode without network connection
Level 3 means: multi-user command line mode with network connection
Level 4 means: not available
Level 5 means: multi-user mode with graphical interface
Level 6 indicates: restart 2011-10-26
= the following is an excerpt
Someone has attacked the server again, and there is no way to prevent it. Here is a brief introduction to a way to restrict specified IP access.
The command for a single IP is
Iptables-I INPUT-s 59.151.119.180-j DROP
The command to seal the IP paragraph is
Iptables-I INPUT-s 211.1.0.0 iptables 16-j DROP
Iptables-I INPUT-s 211.2.0.0 iptables 16-j DROP
Iptables-I INPUT-s 211.3.0.0Mab 16-j DROP
The order to seal the whole paragraph is
Iptables-I INPUT-s 211.0.0.0 iptables 8-j DROP
The order to seal several paragraphs is
Iptables-I INPUT-s 61.37.80.0 DROP 24-j
Iptables-I INPUT-s 61.37.81.0 DROP 24-j
The server starts and runs itself
There are three ways:
1. Add it to / etc/rc.local
2. Vi / etc/sysconfig/iptables can put your current iptables rules into / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.
3. Service iptables save can also put your current iptables rules in / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.
The latter two are better. Generally, iptables services are started before network services, which is more secure.
Unseal:
Iptables-L INPUT
Iptables-L-- line-numbers and then iptables-D INPUT serial number
Iptables restricts ip access
Restrict access to port 9889 through iptables (only 192.168.1.201,192.168.1.202, 192.168.1.203 are allowed), and access to other ip is prohibited
Iptables-I INPUT-p tcp-- dport 9889-j DROP
Iptables-I INPUT-s 192.168.1.201-p tcp-- dport 9889-j ACCEPT
Iptables-I INPUT-s 192.168.1.202-p tcp-- dport 9889-j ACCEPT
Iptables-I INPUT-s 192.168.1.203-p tcp-- dport 9889-j ACCEPT
Note that the order of orders cannot be reversed.
At this point, I believe you have a deeper understanding of "how Linux prohibits access to specific ip addresses". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
[root@master1-192,168117-18] # vim users.txt [root@master1-192,168117-18] # vim example
© 2024 shulou.com SLNews company. All rights reserved.