tcp_wrappers && l7iptables
tcp_wrappers
tcp_wrappers是linux中一个安全机制,在某些条件下,一定程度上限制某种服务的访问权限,达到了保护系统的目的。接下来我们来简单介绍一下tcp-wrapers
《一》:首先检查某种服务是否受tcp_wrappers 管理
ldd `which sshd` grep | libwrap
如果有这个链接,说面某个服务接受tcp_wrappers管理
《二》:与tcp_wrappers相关的文件有
/etc/hosts.allow
/etc/hosts.deny
《三》:工作原理
(1):当有请求从远程到达本机的时候
首先检查/etc/hosts.allow 如果在其中能够匹配的到,那么就默认允许访问
跳过 /etc/hosts.deny这个文件
(2):当在/etc/hosts.allow中没有匹配到的时候,就匹配/etc/hosts.deny 文件
如果能在/etc/hosts/deny中匹配的到
那么就拒绝这个访问
(3):如果在这两个文件中,都没有匹配到
那么,默认是允许访问的
《四》:这两个文件格式
服务列表 :地址列表 :选项
A. 服务列表格式:如果有多个服务,那么就用逗号隔开
B. 地址列表格式:
(1):标准IP地址:例如:192.168.0.254,192.168.0.56如果多于一个用,隔开
(2):主机名称:例如:www.baidu.com
.example.con匹配整个域
(3):利用掩码:192.168.0.0/255.255.255.0指定整个网段
(4):网络名称:例如 @mynetwork
C. 选项:
主要有allow 和 deny 这两个选项
D. 其它的特定格式
ALL :指代所有主机
LOCAL :指代本地主机
KNOWN :能够解析的
UNKNOWN :不能解析的
PARANOID :
《五》:扩展选项:
spawn : 执行某个命令
vsftpd : spawn echo “login attempt from %c”to %s” | mail –s warning root
twist : 中断命令的执行:
vsftpd : twist echo “login attempt from %c to %s ” | mail –s waring root
《六》:一个例子
在/etc/hosts.allow文件中指定下面的内容
vsftpd: 192.168.0.
in.telnetd, protmap: 192.168.0.8
在/etc/hosts.deny中指定一下文件
ALL: .cracker.org EXCEPT trusted.cracker.org
vsftpd,protmap: ALL
sshd: 192.168.0. EXCEPT 192.168.0.4
l7-filter
L7-filter is a classifier for Linux's Netfilter that identifies packets based on
application layer data.
It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus,
eDonkey2000, etc., regardless of port.
It complements existing classifiers that match on IP address, port numbers and so on.
http://l7-filter.sourceforge.net
The 2.4 or 2.6 Linux kernel source (2.6 strongly preferred) from kernel.org The
iptables source from netfilter.org "l7-filter kernel version" package (netfilter-layer7-
X.Y.tar.gz)
"Protocol definitions" package (l7-protocols-YYYY-MM-DD.tar.gz)
Use the appropriate kernel patch from the "Layer 7 patches" package to patch the kernel
Please read the README in the package to determine which patch to use # tar zxvf
linux-2.6.28.10.tar.gz -C /usr/src
# tar zxvf netfilter-layer7-v2.22.tar.gz -C /usr/src
# ln –s /usr/src/linux-2.6.28.10/ /usr/src/linux
# cd /usr/src/linux/
# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
Before you configure kernel make sure you have development tools (gcc compilers and
related tools) are installed on your system.
# cp /boot/config-2.6.18-164.el5 /usr/src/linux/.config # make menuconfig
Networking support → Networking Options →Network packet filtering framework →Code
Netfilter Configuration
<M> Netfilter connection tracking support <M> “layer7” match support
<M> “string” match support
<M> “time” match support
<M> “iprange” match support
<M> “connlimit” match support <M> “state” match support
<M> “conntrack” connection match support <M> “mac” address match
support
<M> "multiport" Multiple port match support
Networking support →
Networking Options →Network packet filtering framework → IP: Netfilter Configuration
<M> IPv4 connection tracking support (required for NAT)
<M> Full NAT
<M> MASQUERADE target support
<M> NETMAP target support
<M> REDIRECT target support
Start compiling and installing
make
make modules_install
make install
Edit the /boot/grub/grub.conf, set the default booting kernel to the new kernel
Restart
# cp /etc/rc.d/init.d/iptables ~/iptables
# rpm -e iptables-ipv6 iptables iptstate --nodeps
# tar jxvf iptables-1.4.6.tar.bz2 –C /usr/src
# cd /usr/src/iptables-1.4.6
# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-
for-kernel-2.6.20forward/libxt_layer7.* ./extensions/
./configure --prefix=/usr --with-
ksource=/usr/src/linux
#
make &&
make install # tar zxvf l7-protocols-2009-05-28.tar.gz # cd l7-
protocols-2009-05-28
# make install
# mv ~/iptables /etc/rc.d/init.d/
# service iptables start
l7-filter uses the standard iptables extension syntax
iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action]
bittorrent
P2P filesharing / publishing tool
edonkey
eDonkey2000 - P2P filesharing
kugoo
KuGoo - a Chinese P2P program
msn-filetransfer
MSN (Micosoft Network) Messenger file transfers
msnmessenger
Microsoft Network chat client
pplive
Chinese P2P streaming video qq xunlei connlimit
[!] --connlimit-above n
Allows you to restrict the number of parallel connections to a server per client IP
address (or client address block).
Example:
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
Allow 2 ssh connections per client hoststring
This modules matches a given string by using some pattern matching strategy.
It requires a linux kernel >= 2.6.14.
[!] --string pattern
Matches the given pattern.
--algo {bm|kmp}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
Examples:
iptables –A OUTPUT –p udp --dport 53 -m string --string “verycd
” --algo bm -j DROP
iptables -A OUTPUT -p tcp --dport 80 -m string --string “***” --algo
kmp -j DROPtime
This matches if the packet arrival time/date is within a given range.
--datestart
YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop
YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
Only match during the given time, The possible time range is 1970-01-01
T00:00:00 to 2038-01-19 T04:17:07
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed.time
[!] --monthdays day[,day...]
Only match on the given days of the month. Possible values are 1 to 31.
[!] --weekdays day[,day...]
Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values from 1 to 7, respectively.
Examples:
-m time --weekdays Sa,Su
-m time --timestart 12:30 --timestop 13:30
-j LOG
--log-level
level
Level of logging
--log-prefix
prefix
Prefix log messages with the specified prefix; up to 29 letters long, and
useful for distinguishing messages in the logs.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
转载于:https://blog.51cto.com/yueyang/581642
扫一扫
1430
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
