Shulou(Shulou.com)06/03 Report--

1. The protection object of the TCP Wrappers mechanism is various network service programs, and the access control is carried out according to the client address of the access service. The corresponding policy files are / etc/hosts.allow and / etc/hosts.deny, which are used to set the allow and deny policies, respectively.

1. Configuration format of the policy

The two policy files have the opposite effect, but the configuration record format is the same, as shown below

:

The list of service programs and the list of client addresses are separated by colons, and multiple items in each list are separated by commas.

(1) list of service programs

The list of service programs can be divided into the following categories.

● ALL: represents all services.

● single service program: such as "vsftpd"

A list of ● service programs, such as "vsftpd,shd"

(2) client address list

The client address list can be divided into the following categories.

Network segment address, such as "

192.168.4.0/255.255.255.0

● with "." Starting domain name: for example, "kgc.cn" matches all hosts in the kgc cn domain.

● with "." End network address: for example, "192.168.4" matches the entire 192 168.4.0 Universe 24 network segment. Embed the wildcard character "*"? " The former represents a character of any length, while the latter represents only one character. "10.0.8.2*" matches all P addresses that begin with 10.0.8.2. Cannot be mixed with patterns that start or end with "".

A list of multiple client addresses, such as "192.68.1. 172.17.17.men.kgc.cn"

two。 Basic principles of access control

With regard to the access policy of the TCP Wrappers mechanism, check the / etc/hosts.allow file first, and if you find a policy that matches, access is allowed. Otherwise, continue to check the / etc/hosts.deny file. If a matching policy is found, access is denied; if neither of the two files finds a matching policy, access is allowed.

3.TCP Wrappers configuration instance

For example, if you only want a host with an ip address of 192.168.10.10 or a host located on the 192.168.20.0 ax 24 network segment to access the sshd service, deny other addresses. Vim / etc/hosts.allow

Vim / etc/hosts.deny

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.