Tcp_wrappers access Control

I. Introduction of Tcp_wrappers

Security detection and access control for a specific service with stateful connections, implemented as a library file, whether a process accepts LibWrap control depends on whether the program initiating the process compiles at compile time for libwrap, and whether the service is capable of being tcp_ Wrapper method of access control:

Ldd/path/to/program|grep libwrap.so
Strings Path/to/program|grep libwrap.so
Example sshd:

2. [[email protected] 1372]# which sshd
4. /usr/sbin/sshd
6. [[email protected] 1372]# ldd/usr/sbin/sshd | grep libwrap
8. Libwrap.so. 0 =/lib64/libwrap.so. 0 (0x00007f5659d39000)
10. [[email protected] 1372]# strings/usr/sbin/sshd | grep libwrap
12. Libwrap.so. 0
14. LibWrap Refuse returns

It/etc/hosts.deny these two configuration files through/etc/hosts.allow to restrict access to the IP that is accessing the services that support the Tcp_warppers module.

The read order of the two profiles takes precedence, and if the Allow file is loaded, deny is no longer read.

Second, the basic syntax within the configuration file:

1. Syntax: Service group: Host

2. Client client_list format

List of clients separated by commas or spaces
Based on IP address: 192.168.10.1 192.168.1.
Based on host name: www.magedu.com. magedu.com less
Based on network/mask: 192.168.0.0/255.255.255.0
Based on NET/PREFIXLEN:192.168.1.0/24 (CENTOS7)
Based on network group (NIS domain): @mynetwork
Built-in Acl:all,local,known,unknown,paranoid

Cases:

1. Edit/etc/host.allow under Editing
2. In.telnetd,sshd:172.18. in.telnet and sshd two services allow 172.18. Ten
5. Edit/etc/host.deny under Editing
6. In.telentd:ALL indicates that all hosts are denied connection to in.telnetd
9. If the above file exists at the same time, the expression is only allowed 172.18. intelnetd, other hosts inaccessible, all network segments can access sshd (if not on the whitelist, the default is to allow White list and blacklist at the same time, permission to take the whitelist)

3. Special usage spawn, EXCEPT, twist

Expect unless the meaning of:
Cases:

2. VSFTPD: 172.16. EXCEPT 172.16.0/ EXCEPT 172.1
6. If this configuration is within allow, all hosts are allowed access, except for the 172 of the 172.16.1. 0 network segment.
8. If this configuration is within deny, the 172.16 is refused permission.0 network segment except 172.16.1 This address access, other addresses are denied access

Spawn start an external program to do the following:
Cases:

1. Sshd:ALL:spawn echo "$ (date +%%f) login attempt from%c to%s,%d" >>/var/log/sshd.log
3. Whenever there is a host visit will have a record output to the/var/log/sshd.log file, note spawn front: often lost
4. %c Client Information
5. %s Server-side information
6. %d Service Name
7. PID of%p Daemon process
12. Percent percentage

Twist the actual action is to deny access, replace the current service with the specified operation, standard I/O and error sent to the client, default to/dev/null
Cases:

1. Add the following within Host.allow:
2. VSFTPD: 172.16.: Twist/bin/echo "connectionprohibited" the project will replace the action of successful access with/bin/echo " Connectionprohibited " , twist is the meaning of substitution.

Test tools:
Tcpdmatch [-d] daemon[@host] Client
-D test Hosts.allow and Hosts.deny in the current directory
Cases:

1. tcpdmatch-d (test configuration file under current directory, not necessarily etc) sshd 192.168.5

0000000000000000000

Tcp_wrappers access Control