Another Access Control in Linux: TCP Wrapper

 

1. TCP Wrapper is an access control tool based on tcpd access. It can access most TCP-based services. Generally speaking, it can only implement the acceptance of tcpd management explicitly during compilation.

Their working principle is similar to this: Generally, the so-called service listening service listens on a socket is actually implemented through a loop, this loop is to constantly check the arrival of client requests on a port. Then, different tasks are completed based on client requests. Services managed by tcpd can be independent or non-independent. When a client request arrives, it is checked by tcpd before being sent to the port.

 

2. How can we know which programs can be controlled by tcpd?

Whether a program accepts or does not accept the control can be viewed in two ways.

1. LDD 'which command '| grep wrap: When compiling, dynamic link to the wrap library can be determined to accept control.

2. Strings 'which command '| grep hosts: You can also check whether the receiving control is enabled. However, its display is like this. There should be a file starting with hosts.

If/etc/hosts. Allow and/etc/hosts. Deny are displayed, it supports TCP Wrapper for access control.

 

In fact, the control of TCP Wrapper is implemented in this way.

Access is generally allowed as long as it is written in/etc/hosts. Allow. access is denied if it is written in/etc/hosts. Deny.

 

3How does one check when a client arrives?

First check our/etc/hosts. allow checks whether the file has exactly matched entries. If yes, access the file directly. If not, check the deny file. If the deny file exists, access is explicitly denied, otherwise, it is allowed by default when both files do not match.

 

4. How to define access control:

Format: daemon_list: client_list [: Options}

Process: client list [: Option]

4.1 process representation: The process name cannot be specified here. The Executable File Name of the process must be specified.

4.1.1. It can be the name of a single Executable File

Vsftpd: 192.168.0.

4.1.2. It can be a list of multiple services

Vsftpd, sshd, In. telnetd:

4.1.3. The wildcard "all" can be used to indicate all

ALL:

4.1.4. Only a service limitation on a specific address

Vsftpd@192.168.0.186

When implementing control over a specific service, other services dependent on this service must also be able to serve.

4.2 How to define the client list

4.2.1. A single IP address can be used

IP

4.2.2. You can also use the network address

4.2.2.1: The netmask must be in long format. Network/mask: The length format cannot be used. Only the full IP address format can be used.

4.2.2.2: a network address similar to 172. 16 is automatically recognized as 172.16.0.0/255.255.0.0.

4.2.3: the host name can be used, for example, hostname.

4.2.3.1: single host name FQDN can be used

4.2.3.2: The domain name can be used, for example, .a.org, which indicates all hosts in the.org domain.

4.2.4: common macro definitions can be used:

ALL: indicates all hosts/all services

Local: local host, host without domain name, non-FQDN host name format

Known, unknown all hosts that can be parsed, hosts that cannot be parsed

Paranoid: host with unmatched forward/reverse resolution

Except XX host

4.3 example:

How to Control vsftpd access:

Define deny 172.16.100.100 to access vsftpd

Vim/etc/hosts. Deny

Vsfptd: 172.16.100.100

Note that it takes effect immediately

 

Only 172.16 CIDR blocks are allowed.

Vim/etc/hosts. Allow

Vsftpd: 172.16.

Vim/etc/hosts. Deny

Vsftpd: All

 

4.4: Use of memory T: Deactivating ......

Defines that only 172.16.0.1 is allowed for access.

Vim/etc/hosts. Deny

In. delnetd: All records t 172.16.0.1

 

4.5: defined options:

: Spawn: Initiate a command

% U: User Name

% A: client name

% A: indicates the server name.

% D: Service name

Use spawn to define logs:

Any user attempts to log on to telnet

In. delnetd: All records t 172.16.0.1: spawn/bin/ECHO "login attempt ('date') % u from % A attempt to login %, the daemon is % d ">/var/log/telnet. log

: Allow: allowed in rejection

Only access from CIDR Block 172.16.0.0 is allowed.

Vim/etc/hosts. Deny

In. telnetd: 172.16.: Allow

ALL: All

: Deny: deny allowed

Vim/etc/hosts. Allow

In. delnetd: 172.16.: deny

Telnet on the local machine will never be accessed by anyone. However, 172. 16. network segment is allowed, but access to 172.16.100.100 is also rejected.

Rejecting:

ALL: all limits t 172.16. Limits t 172.16.100.100