Allow and deny for Linux hosts
/etc/hosts.allow and/etc/hosts.deny Two files are control remote access settings, through which he can allow or deny a client of an IP or IP segment access to a Linux service.
Network firewalls are the first protection against unauthorized hosts accessing the network, but they should not have only one barrier.
Linux uses two files,/etc/host.allow and/etc/hosts.deny, to restrict access to the service based on the source of the network request.
The Host.allow file lists the hosts that are allowed to connect to a specific service, while the Hosts.deny file is responsible for restricting access.
However, these two files only control access to services that have hosts_access functionality, such as those managed by xinetd, sshd, and certain configured sendmail.
In most cases, it is wise to restrict first and then only allow access to critical services from the specified host.
We recommend that, by default, the following line of configuration is added to the Hosts.deny file, denying all access:
All:all
Next, you can open access licenses individually in the Hosts.allow file. The following configuration allows access to SSH from the network 192.168/16 and access to sendmail from anywhere.
sshd:192.168.0.0/255.255.0.0
Sendmail:all
Two files each line is configured in Service:host or service:network format. Failed connection attempts are recorded in the syslog. Connections from hosts that are not allowed to access the service are immediately shut down.
Most Linux distributions have Host.allow and Hosts.deny by default, but they are usually empty.
Modify the/etc/hosts.allow file
#
# Hosts.allow This file describes the names of the hosts which is
# allowed to use the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
Sshd:210.13.218.*:allow
Sshd:222.77.15.*:allow
The above notation means that 210 and 2,222 IP segments are allowed to connect to the SSHD service (which must be used in conjunction with the Hosts.deny file), of course: Allow can be omitted entirely.
Of course, if the administrator is in one IP, then this is easier to write.
ALL:218.24.129.110//He says accept all requests for this IP 110!
/etc/hosts.deny file, this file is a list of denial of service, the file content is as follows:
#
# Hosts.deny This file describes the names of the hosts which is
# *not* allowed to use the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
# The Portmap line was redundant, but it was left to remind
# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular
# should know that NFS uses portmap!
Sshd:all:deny
Note: Sshd:all:deny indicates that all sshd remote connections have been rejected. :d Eny can be omitted.
So: When the Hosts.allow and Host.deny conflict, the Hosts.allow settings prevail.
Note When you are finished modifying:
Service xinetd Restart
For the changes to take effect.
/etc/hosts.allow (Allow) and/etc/hosts.deny (forbidden) These two files are the configuration files of the TCPD server
TCPD server can control the external IP access to the native service
The Linux system checks the/etc/hosts.deny rules first, then checks the/etc/hosts.allow rules, and if there is a conflict, it is handled by/etc/hosts.allow rules.
Like what:
1. Disable SSH functionality for all IP access to Linux
You can add a row in/etc/hosts.deny Sshd:all:deny
2. Disable an IP (192.168.11.112) Access SSH feature
You can add a row in/etc/hosts.deny sshd:192.168.11.112
3. If there are sshd:192.168.11.112 rules at/etc/hosts.deny and/etc/hosts.allow, then 192.168.11.112 can access the host's SSH service
Allow and deny for Linux hosts