Linux have different type of perimeters to restrict and control network access. hosts.allow and hosts.deny files are one way of those. The TCP wrapper, ssh, ftp applications generally use rules provided in this configuration files. We will look different usage types and examples for hosts.allow and hosts.deny files in this tutorial
Linux具有不同类型的边界来限制和控制网络访问。 hosts.allow和hosts.deny文件是其中一种方法。 TCP包装器,ssh,ftp应用程序通常使用此配置文件中提供的规则。 在本教程中,我们将为hosts.allow和hosts.deny文件查找不同的用法类型和示例。
These rules describes simple access control language based client host name, address, user name and server process name, host name and address patterns.
这些规则描述了基于简单访问控制语言的客户端主机名,地址,用户名和服务器进程名,主机名和地址模式。
句法 (Syntax)
As we know rules are inserted info files. Here is the rule syntax
众所周知,规则是插入的信息文件。 这是规则语法
daemon:client[option1:option2:...]
帮帮我 (Help)
$ man hosts.allow
工作优先(Work Precedence)
While using rules in files host.allow and hosts.deny there are some precedence. The following flow is executed.
在文件host.allow和hosts.deny使用规则时,有一些优先级。 执行以下流程。
Look
hosts.allow看
hosts.allow- If match allow and exit 如果匹配允许并退出
Look
hosts.deny看
hosts.deny- If match deny if not allow 如果匹配,则拒绝,如果不允许
允许(Allow)
To allow applications, hosts to use servers services Allow rules are used. These Allow rules are placed into hosts.allow file. In the example we allow all hosts in the 192.168.0.0/16 to use servers all ports and services.
为了允许应用程序,主机使用服务器服务Allow规则。 这些允许规则放置在hosts.allow文件中。 在示例中,我们允许192.168.0.0/16所有主机使用服务器的所有端口和服务。
ALL: 192.168.
拒绝 (Deny)
To deny hosts and applications we will use Deny rules. Deny rules are places into hosts.deny . In the example we will deny all hosts to connect and use servers services. But keep in mind in the previous example we have allowed some networks and other than these networks will not be able to use servers services.
要拒绝主机和应用程序,我们将使用Deny规则。 拒绝规则位于hosts.deny 。 在该示例中,我们将拒绝所有主机连接和使用服务器服务。 但是请记住,在前面的示例中,我们允许某些网络,而这些网络以外的其他网络将无法使用服务器服务。
ALL: ALL
评论 (Comment)
In the time there will be a lot of rules in the hosts files. They may become unmanageable if we do not put some notes or comments about the rules. Comments can be put with # sign. In the example we write some note about rules
到时主机文件中会有很多规则。 如果我们不对规则做一些注释或评论,它们可能变得难以管理。 注释可以带有#号。 在示例中,我们写了一些有关规则的注释
# Home users
ALL: 192.168.
#Delete this 30.03.2017
ALL: poftut.com
记录 (Log)
While using rules about Allow and Deny these actions may need to logged. Logs will be generated with spawn mechanism. Spawn is use to create new process if specified rule matched. In the example we will generate a log which contain current date if a host from 172.16.0.0/24 tries to access vsftpd service.
在使用有关“允许”和“拒绝”的规则时,可能需要记录这些操作。 日志将通过生成机制生成。 如果指定规则匹配,则Spawn用于创建新进程。 在此示例中,如果来自172.16.0.0/24的主机尝试访问vsftpd服务,我们将生成一个包含当前日期的日志。
vsftpd:172.16. :spawn /bin/echo '/bin/date' access denied >> /var/log/vsftpd:deny
定义多个主机 (Define Multiple Hosts)
There is also support for multiple hosts. We can define multiple hosts by separating them with commas. In the example we will define 2 host names, 1 IP address and 1 network.
还支持多个主机。 我们可以用逗号分隔多个主机。 在示例中,我们将定义2个主机名,1个IP地址和1个网络。
ALL: dns.poftut.com, mail.poftut.com, 212.23.4.12, 10.5.
dns.poftut.com,mail.poftut.comare host namesdns.poftut.com,mail.poftut.com是主机名212.23.4.12is a single IP address212.23.4.12是单个IP地址10.5.specifies network 10.5.0.0/16 in CIDR presentation10.5.在CIDR表示中指定网络10.5.0.0/16
除定义外 (Except Definition)
We can define NOT logic in rules. Generally IP address or network ranges are used with this logic. We put ALL EXCEPT as a prefix to the related IP address or network range to exclude. In this example we will define all hosts except 10.0.0.0/24
我们可以在规则中定义NOT逻辑。 通常,此逻辑使用IP地址或网络范围。 我们将ALL EXCEPT作为要排除的相关IP地址或网络范围的前缀。 在此示例中,我们将定义除10.0.0.0/24之外的所有主机
ALL: ALL EXCEPT 10.
翻译自: https://www.poftut.com/linux-hosts-allow-hosts-deny-control-network-access/
2880
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
