Allow and deny for Linux hosts

Source: Internet
Author: User

Allow and deny for Linux hosts


/etc/hosts.allow and/etc/hosts.deny Two files are control remote access settings, through which he can allow or deny a client of an IP or IP segment access to a Linux service.


Network firewalls are the first protection against unauthorized hosts accessing the network, but they should not have only one barrier.

Linux uses two files,/etc/host.allow and/etc/hosts.deny, to restrict access to the service based on the source of the network request.

The Host.allow file lists the hosts that are allowed to connect to a specific service, while the Hosts.deny file is responsible for restricting access.

However, these two files only control access to services that have hosts_access functionality, such as those managed by xinetd, sshd, and certain configured sendmail.

In most cases, it is wise to restrict first and then only allow access to critical services from the specified host.

We recommend that, by default, the following line of configuration is added to the Hosts.deny file, denying all access:

All:all

Next, you can open access licenses individually in the Hosts.allow file. The following configuration allows access to SSH from the network 192.168/16 and access to sendmail from anywhere.

sshd:192.168.0.0/255.255.0.0

Sendmail:all

Two files each line is configured in Service:host or service:network format. Failed connection attempts are recorded in the syslog. Connections from hosts that are not allowed to access the service are immediately shut down.

Most Linux distributions have Host.allow and Hosts.deny by default, but they are usually empty.



Modify the/etc/hosts.allow file

#

# Hosts.allow This file describes the names of the hosts which is

# allowed to use the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

Sshd:210.13.218.*:allow

Sshd:222.77.15.*:allow


The above notation means that 210 and 2,222 IP segments are allowed to connect to the SSHD service (which must be used in conjunction with the Hosts.deny file), of course: Allow can be omitted entirely.

Of course, if the administrator is in one IP, then this is easier to write.

ALL:218.24.129.110//He says accept all requests for this IP 110!



/etc/hosts.deny file, this file is a list of denial of service, the file content is as follows:

#

# Hosts.deny This file describes the names of the hosts which is

# *not* allowed to use the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

# The Portmap line was redundant, but it was left to remind

# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular

# should know that NFS uses portmap!

Sshd:all:deny


Note: Sshd:all:deny indicates that all sshd remote connections have been rejected. :d Eny can be omitted.

So: When the Hosts.allow and Host.deny conflict, the Hosts.allow settings prevail.


Note When you are finished modifying:

Service xinetd Restart

For the changes to take effect.

/etc/hosts.allow (Allow) and/etc/hosts.deny (forbidden) These two files are the configuration files of the TCPD server

TCPD server can control the external IP access to the native service

The Linux system checks the/etc/hosts.deny rules first, then checks the/etc/hosts.allow rules, and if there is a conflict, it is handled by/etc/hosts.allow rules.

Like what:

1. Disable SSH functionality for all IP access to Linux

You can add a row in/etc/hosts.deny Sshd:all:deny

2. Disable an IP (192.168.11.112) Access SSH feature

You can add a row in/etc/hosts.deny sshd:192.168.11.112

3. If there are sshd:192.168.11.112 rules at/etc/hosts.deny and/etc/hosts.allow, then 192.168.11.112 can access the host's SSH service




Allow and deny for Linux hosts

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.