Use of TCP Wrapper in Linux

The purpose of tcpwrapper is to provide access control functions for services with weak access control functions. To understand access control, you must first understand the concept of service listening:

Two Methods of Service Listening:

Listen: Socket listeners provide services on sockets

View a port to provide services without stopping the loop

 

 

There are two ways to determine whether a Service supports TCP Wrapper:

1. Check whether libwrap exists by searching the library file.

LDD 'which command'

2. check whether it is connected to/etc/hosts. Allow | deny

Strings 'which command' # view the static Link Library

If/etc/hosts. Allow

/Etc/hosts. Deny indicates that the command is statically linked to tcpwrraper.

 

Tcpwrraper itself works in the kernel, but these two files can be used to provide access control

 

Request

Bytes

Service --->/etc/hosts. Allow ---> allow if yes

Region not

/Etc/hosts. deny ----> if not, release

Bytes

If a specified match is rejected

/Etc/hosts. Allow | deny file format: damon_list: client_list [: Option]

Matching Service list: damon_list

Vsftpd: 192.168.0.

Vsftpd, sshd, In. telnetd:

All

Daemon @ host

Vsftpd@192.168.0.186

#192.168.0 stands for 192.168.0.0.

# Multiple services can be specified at a time

# You can use the wildcard "all" to specify all services.

# @ Only control a host

 

Match the client list clent_list

IP

Network Address

Network/mask: The mask cannot use the length format, but must have a full IP address format.

172.16.0.0 ---> 172.16. You can also abbreviated the CIDR Block

Hostname

FQDN

. A. Rog indicates all hosts in the.org domain.

 

Option

Spawn # You can use spawn to define logs.

Spawn echo ""

# The following defines a condition. A log is recorded as long as the user logs on via Telnet.

Vim/etc/hosts. Deny

In. telnetd: all variables t 172.16.0.1: spawnecho "Login attemp ('date') % u from % A attemp to login % A, the deamon is % d. ">/var/log/telnet. log

# Note that it cannot be followed by ECHO: The semicolon has special significance here.

# You can use man 5 hosts_access to view the meaning of the preceding %.

 

Common macro definition macro

All # indicates all hosts or all services

Local # indicates the local host, not the FQDN host

Known # indicates the host that can be parsed

Unknown # reverse host that can be parsed

Paranoid # host with unmatched positive/reverse resolution

T # exclude a host or a network

 

-

How to Control vsftpd access

1. which vsftpd # determine the file path 2. vim/etc/hosts. deny # change the file to take effect immediately. vsftpd: 172.16.100.100 # assume that only 172.16 network segments are allowed to access Vim/etc/hosts. allowvsftpd: 171.16 # Only 172.16.0.0/16 network segment Vim/etc/hosts is allowed. denyall: All # deny login from other users

In this way, only the CIDR Block 172.16.0.0 can be accessed.

 

 

Control ssh. Only logon to the 192.168.0.32 network segment is allowed, and logon to the 192.168.0.32 network segment is not allowed.

vim /etc/hosts.denyALL:ALLvim /etc/hosts.allowsshd: 192.168.0 EXCEPT 192.168.0.32

Effect:

Remove all: All in/etc/hosts. Deny to resume logon.