TCP Wrappers简介
TCP_Wrappers是一个工作在笫四层(传轮层)的的安全工具. 对有状态连接 (TCP) 的特定服务进行安全检测井实现访问控制. 界定方式是凡是调用 libwrap. so库文件的的程片就可以受TCP_Wrappers的安全控制。 它的主要功能就是控制谁可以访问, 常见的程序有rpcbind、 vsftpd、 sshd. telnet 。
判断方式(以sshd为例):
1.查看对应服务命令所在位置
which sshd 或 whereis sshd
2.查石指定命令执行时是否调用libwrap. so文件,
ldd /usr/sbin/sshd | grep libwrap.so
# ldd命令是用来静态的查看服务在执行时调用的库文件列表
存在则说明sshd服务受TCP_Wrappers的安全控制
TCP Wrappers 工作原理
以ssh为例每当有ssh的连接诸求时, 先读取系统管理员所设咒的访间控制文件. 符合要求. 则会把这次连接原封不动的转给ssh进程, 由ssh完成后续工作; 如果这次连接发起的ip不符合访间控制文件中的设咒, 则会中断连接请求, 拒绝提供ssh服务。(hosts.allow文件的优先级要高于hosts.deny)
1、优先查看hosts.allow匹配即停止(泛匹配)
2、允许个别,拒绝所有:hosts. allow文件添加允许的策略,hosts.deny文件添加all
3、拒绝个别,允许所有:hosts.allow 文件为空,hosts.deny文件添加单个拒绝的策略
TCP_Wrappers的使用
TCP_Wrappers的使用主要是依靠两个配置文件/etc/hosts. allow, /etc/hosts.deny, 以此实现访问控制,默认情况下/etc/hosts.allow, /etc/hosts.deny什么都没有添加, 此时没有限制
文件编写规则:
service_list@host: client_list
service_list: 是程序(服务)的列表,可以是多个, 多个时, 使用, 隔开
@host: 设置允许或禁止他人从自己的哪个网口进入。 这项不写就代表全部
c1ient_list:是访问者的地址, 如果需要控制的用户较多, 可以使用空格或 ,隔开
格式如下:
基于IP地址: 192.168.88.1 192.168.88 .
基于主机名:www.atguigt1.com .atguigu.com较少用
基于网络/掩码: 192. 168.0.0/255.255.255.0
内置ACL:ALL(所有主机)、LOCAL(本地主机)
实验案例
拒绝单个IP使用ssh远程连接
配置文件:
hosts.allow:空着
hosts.deny:
sshd:192.168.85.129
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
##
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.85.129拒绝某个网段访问
hosts.allow:空着
hosts.deny:
sshd:192.168.85.
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
##
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.85.仅允许某一个IP访问
hosts.allow
sshd:192.168.85.129
hosts.deny
sshd:ALL
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.85.129#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL
704
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
