Tcp_wrapper Application Brief

I. Introduction of Tcp_wrapper

1. What is tcp_wrapper

TCP Wrapper is an open source software developed by Wietse Venema. It is a software used to analyze TCP/IP packets, similar to IP packet software and iptables. Linux is installed by default.tcp_wrapper. As a secure system, Linux itself has two layers of security firewalls that enable the first layer of protection through the iptables of IP filtering mechanisms. The iptables firewall protects the entire system from attack and corruption by visually monitoring the health of the system, blocking some malicious attacks in the network. If the first layer of protection is passed, then the next layer of protection is tcp_wrapper. by tcp_wrapper can be used to open and close, allow and prohibit certain services provided in the system, so as to ensure the safe operation of the system more effectively. Use tcp_wrapper feature requires only two profiles:/etc/hosts.allow and/etc/hosts.deny.

2,tcp_wrapper system work Overview

650) this.width=650; "title=" 1.png "alt=" wkiom1xeyraxokjdaafu21lzbzk089.jpg "src=" http://s3.51cto.com/wyfs02/M02/ 71/17/wkiom1xeyraxokjdaafu21lzbzk089.jpg "/>

Note: NetFilter (iptable) is working on the network layer while TCP wrapper is working on the application layer

3,/etc/hosts.allow and/etc/hosts.deny work

650) this.width=650; "title=" 2.png "alt=" wkiol1xeznyh8ux6aacglxzi8ws816.jpg "src=" http://s3.51cto.com/wyfs02/M00/ 71/13/wkiol1xeznyh8ux6aacglxzi8ws816.jpg "/>

Ii.use of tcp_wrapper rules

1. Rule Syntax description

The syntax format for the Hosts.allow and Hosts.deny files is as follows:

Daemon:client [: Option1:option2: ...]

Daemon can be a variety of service programs, such as SSHD, the service program at compile time will be libwrap.so.0 Dynamic library come in can use tcp_wrapper.

The client is a comma-delimited list of source users, which can be a host name, or an IP address, and so on.

The options add-on option is that after the rule matches, you can choose to send an e-mail to an administrator or to log logs, and each action is separated by a colon.

You can use the LDD command to see if the program supports LIBWRAP, for example:

[Email protected] ~]# ldd ' which sshd ' |grep wraplibwrap.so.0 =/lib64/libwrap.so.0 (0x00007f1dab1bf000)

2. Syntax format examples

Daemon_list has the following formats:

vsftpd:192.168.0. vsftpd,sshd,telnetd:192.168.0.          all:192.168.0. [Email protected] #只在某个特定的地址上进行控制比如: [email protected], in the case of a number of network cards to use

Client_list has the following formats:

IP Network Address/mask #网络地址 (can only be used with a 1.0.0.0/255.0.0.0 full IP address format and cannot be represented by a bit length) hostname #主机名称. abc.org #表示. All hosts in the abc.org domain

Common macro Definitions:

All #代表所有主机, or all services

LOCAL #表示本地主机, non-FQDN host

Known #主机名能正常解析的

UNKNOWN #主机名不能正常解析

PARANOID #主机名正反项解析不匹配的

EXCEPT #排除某个主机或某个网络

Examples of Use:

echo "Sshd:all EXCEPT 192.168.1.2" >>/etc/hosts.allow

Indicates that the machine is removed from 192.168.1.2, and any machine performs an sshd service to which the machine can connect normally.

Note: When used with/etc/hosts.allow and/etc/hosts.deny two files,/etc/hosts.deny is generally defined as all machines and services for security reasons.

3. Define all denied access to write to the log

Before you use the command spawn you need to configure the service:

%c:[email protected]

%s:[email protected]

%H: Client host Name

%p: Process PID on the server

[Email protected] ~]# vim/etc/hosts.allow SSHD:192.168.1.0/8 EXPECT 192.168.1.20[[email protected] ~]# vim/etc/host   S.denysshd:all:spawn echo ' Date ' form%c to%s >>/var/log/tcp_wrapper.log[[email protected] ~]# ssh 192.168.1.8 192.168.1.20 This machine cannot be logged in via SSH 192.168.1.8ssh_exchange_identification:connection closed by remote Host[[email protected ] ~]# cat/var/log/tcp_wrapper.log Fri 7 23:01:41 CST form 192.168.1.20 to [email Protected]fri 7 23:01:54 CS T-form 192.168.1.20 to [email protected]

This article is from the "Bread" blog, make sure to keep this source http://cuchadanfan.blog.51cto.com/9940284/1682813

Tcp_wrapper Application Brief