Shulou(Shulou.com)06/01 Report--

This article focuses on "how Linux prohibits access to specific ip addresses". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how Linux forbids access to specific ip addresses.

I. Overview

These two files are the configuration files for the tcpd server, which can control the access of the external IP to the native service. The format of these two configuration files is as follows:

# Service process name: host list: optional command actions when rules match

Server_name:hosts-list [: command]

/ etc/hosts.allow control can access the local IP address, / etc/hosts.deny control forbids access to the local IP. If there is a conflict in the configuration of the two files, / etc/hosts.deny shall prevail.

The / etc/hosts.allow and / etc/hosts.deny files control the remote access settings, through which customers in a certain ip or ip segment can be allowed or denied access to a service of linux.

For example, for SSH services, we are usually only open to administrators, so we can disable unnecessary IP and open only IP segments that may be used by administrators.

II. Configuration

1. Modify / etc/hosts.allow file

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the'/ usr/sbin/tcpd' server.

#

Sshd:210.13.218.*:allow

Sshd:222.77.15.*:allow

All:218.24.129.110 # means to accept all requests from ip 110!

In.telnetd:140.116.44.0/255.255.255.0

In.telnetd:140.116.79.0/255.255.255.0

In.telnetd:140.116.141.99

In.telnetd:LOCAL

Smbd:192.168.0.0/255.255.255.0 # allows 192.168.0. IP of network segment accesses smbd service

# sendmail:192.168.1.0/255.255.255.0

# pop3d:192.168.1.0/255.255.255.0

# swat:192.168.1.0/255.255.255.0

Pptpd:all EXCEPT 192.168.0.0/255.255.255.0

Httpd:all

Vsftpd:all

The above words mean that the two ip segments 210and 222are allowed to connect to the sshd service (which inevitably requires the use of the hosts.deny file), of course: allow can be omitted.

The ALL keyword matches everything, the EXCEPT matches except some items, and the PARANOID matches when the IP address you want to control does not match its domain name (domain name masquerade).

2. Modify / etc/hosts.deny file

#

# hosts.deny This file describes the names of the hosts which are

# * not* allowed to use the local INET services, as decided

# by the'/ usr/sbin/tcpd' server.

#

# The portmap line is redundant, but it is left to remind you that

# the new secure portmap uses hosts.deny and hosts.allow. In particular

# you should know that NFS uses portmap!

Sshd:all:deny

In.telnet:ALL

ALL:ALL EXCEPT 192.168.0.1/255.255.255.0192.168.1.21

202.10.5.0/255.255.255.0

Note: sshd:all:deny denies all sshd remote connections. Deny can be omitted.

Previous page 123 the next page consists of 3 pages

3. Start the service

Note that after the modification:

# service xinetd restart

In order for the change to take effect.

Requirements: need to use hosts.deny to restrict users from logging in through ssh

Add in / etc/hosts.deny

Sshd: all

Add in / etc/hosts.allow

Sshd:all # rejects all ip linked ssh services

Try to link to the server on another server, only to find that it is still a normal link

Continue to look for problems, and learn from the Internet that / etc/hosts.allow and / etc/hosts.deny only work for those who have called tcp_wrappers. If the source code is compiled, see if you are looking for libwrap.so at compile time

Under the effect machine, execute the following command:

[root@zt ~] # ldd / usr/sbin/sshd | grep libwrap.so

Libwrap.so.0 = "/ lib64/libwrap.so.0 (0x00002ba28edcc000)

Libwrap.so cannot be found under the machine that does not work.

Execute on the effective machine:

The results of rpm-qf / lib64/libwrap.so.0 are as follows:

Tcp_wrappers-7.6-40.7.el5

On machines that don't work.

Yum install-y tcp_wrappers

After installation, use ldd / usr/sbin/sshd | grep libwrap.so still has no content

On the machine that does not work, continue

Yum list | grep openssh result:

Openssh.x86_64 5.3p2-24.el5 installed

Openssh-clients.x86_64 5.3p2-24.el5 installed

Openssh-server.x86_64 5.3p2-24.el5 installed

Openssh.x86_64 5.3p2-41.el5_5.1 updates

Openssh-askpass.x86_64 5.3p2-41.el5_5.1 updates

Openssh-clients.x86_64 5.3p2-41.el5_5.1 updates

Openssh-server.x86_64 5.3p2-41.el5_5.1 updates

Therefore, execute:

Yum update-y openssh

Execute again:

Ldd / usr/sbin/sshd | grep libwrap.so

The results show.

Other servers that link to this server will also report the following error

Ssh_exchange_identification: Connection closed by remote host

The other is iptalbes, which is commonly used to restrict IP access to the website.

Only one specified IP access server is allowed

Vi / etc/sysconfig/iptables

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

-An INPUT-s 165.232.121.17-j ACCEPT

-An INPUT-j DROP

COMMIT

If your previous firewall is permanently turned off, you need to release it.

Chkconfig-- list looks at the startup service and finds the name of the service to shut down

Chkconfig-- level 235Service name off [boot service at levels 3 and 5]

The running level of the system is 0mai 6, which is in / etc/inittab.

Level 0 indicates that the computer is turned off

Level 1 means: single user mode

Level 2 means: multi-user command line mode without network connection

Level 3 means: multi-user command line mode with network connection

Level 4 means: not available

Level 5 means: multi-user mode with graphical interface

Level 6 indicates: restart 2011-10-26

= the following is an excerpt

Someone has attacked the server again, and there is no way to prevent it. Here is a brief introduction to a way to restrict specified IP access.

The command for a single IP is

Iptables-I INPUT-s 59.151.119.180-j DROP

The command to seal the IP paragraph is

Iptables-I INPUT-s 211.1.0.0 iptables 16-j DROP

Iptables-I INPUT-s 211.2.0.0 iptables 16-j DROP

Iptables-I INPUT-s 211.3.0.0Mab 16-j DROP

The order to seal the whole paragraph is

Iptables-I INPUT-s 211.0.0.0 iptables 8-j DROP

The order to seal several paragraphs is

Iptables-I INPUT-s 61.37.80.0 DROP 24-j

Iptables-I INPUT-s 61.37.81.0 DROP 24-j

The server starts and runs itself

There are three ways:

1. Add it to / etc/rc.local

2. Vi / etc/sysconfig/iptables can put your current iptables rules into / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.

3. Service iptables save can also put your current iptables rules in / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.

The latter two are better. Generally, iptables services are started before network services, which is more secure.

Unseal:

Iptables-L INPUT

Iptables-L-- line-numbers and then iptables-D INPUT serial number

Iptables restricts ip access

Restrict access to port 9889 through iptables (only 192.168.1.201,192.168.1.202, 192.168.1.203 are allowed), and access to other ip is prohibited

Iptables-I INPUT-p tcp-- dport 9889-j DROP

Iptables-I INPUT-s 192.168.1.201-p tcp-- dport 9889-j ACCEPT

Iptables-I INPUT-s 192.168.1.202-p tcp-- dport 9889-j ACCEPT

Iptables-I INPUT-s 192.168.1.203-p tcp-- dport 9889-j ACCEPT

Note that the order of orders cannot be reversed.

At this point, I believe you have a deeper understanding of "how Linux prohibits access to specific ip addresses". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.