Tcpwrappers -- filter the TCP Header (/usr/sbin/tcpd) control file: rule matching sequence: tcp --> tcpwrappers --> hosts. allow --> hosts. deny. By default, these two files are empty, and the rules will take effect immediately. 1. If. if allow can match the corresponding rule, the match ends. 2. If no rule is matched in hosts. allow, then the hosts. deny file is matched. If yes, the match is rejected. 3. If the rules cannot be matched in both hosts. allow and hosts. deny, allow. Firewall Rule Design Philosophy: First reject all requests in host. deny, and then release hosts. allow one by one. The basis for tcpwrappers Filtering: Service name, which is actually the name of the Service's binary file vsftpd/httpd/postfix/samba/nfs/sshd/squid/xinetd vsftpd:/usr/sbin/vsftpdsshd: /usr/sbin/sshdportmap:/sbin/portmap --> rpcbindxinetd:/usr/sbin/xinetd check whether vsftpd supports tcpwrappersclient --> vsftpd-(libwrap. so)-> tcpwrappers: # rpm-ql tcp_wrappers | grep '\ <libwrap. so \> '/usr/lib/libwrap. so query whether the xinetd service supports tcpwrappers Filtering: 1. # ldd 'which xinetd' | gre P wra libwrap. so.0 =>/lib/libwrap. so.0 (0x00110000) # ldd 'which vsftpd '| grep wra libwrap. so.0 =>/lib/libwrap. so.0 (0x003e1000) 2. strings # strings/sbin/portmap | grep 'hosts. * '/etc/hosts. allow/etc/hosts. deny ------------------ instance 1: # service vsftpd start For vsftpd start vsftpd: [OK] # chkconfig krb5-telnet on # service xinetd restart stop xinetd: [OK] start xinetd: [OK] # netstat-tnlp | grep: 21tcp 0 0 0.0.0.0: 21 0.0.0.0: * LISTEN 2578/vsftpd # netstat-tnlp | grep: 23tcp 0 0 0.0.0.0: 23 0.0.0.0: * LISTEN 2635/xinetd ---------- set rules: 1. telnet only 192.168.0.254 can access 2. vsftpd192.168.0.0/24 can be accessed, except 192.168.0.2543.sshd 192.168.0.254. send an email to the Administrator as long as there is a login. 4. the local machine can access these three services. # vim/etc/hosts. deny vsftpd: ALLtelnetd: ALLsshd: ALL # vim/etc/hosts. allow in. telnetd: 192.168.0.254sshd: 192.168.0.254: spawn echo "login attempt from % c to % s" | Mail-s "information about sshd login attempt" root@baidu.comvsftpd: 192.168.0.0/255.255.255.0 255.t 192.168.0.254ALL: LOCAL .baidu.com spwan Execute Command % c client address % s server address LOCAL host hosts. allow and hosts. deny format: Service name 1, service name 2 ,...: client Address [: Action] 1. How to find the name 2. Client address: ALLnetwork/mask 192.168.0.0/255.255.255.0 or 192.168.0.127 .?. Uplooking.com *. uplooking. combench T3, action: ALLOWDENY *************************************** * ******** [root @ mail] # vim/etc/hosts. deny vsftpd: ALLin. telnetd: ALLsshd: ALL [root @ mail] # vim/etc/hosts. allow in. telnetd: 255.: 192.168.0.0/255.255.255.0 255.t 255.: 192.168.0.254: spawn echo "login attempt from % c to % s" | mail-s "information about sshd login attempt" root@baidu.comALL: LOCAL, .baidu.com