1. TCP Wrapper is an access control tool based on tcpd access. It can access most TCP-based services. Generally speaking, it can only implement the acceptance of tcpd management explicitly during compilation.
Their working principle is similar to this: Generally, the so-called service listening service listens on a socket is actually implemented through a loop, this loop is to constantly check the arrival of client requests on a port. Then, different tasks are completed based on client requests. Services managed by tcpd can be independent or non-independent. When a client request arrives, it is checked by tcpd before being sent to the port.
2. How can we know which programs can be controlled by tcpd?
Whether a program accepts or does not accept the control can be viewed in two ways.
1. LDD 'which command '| grep wrap: When compiling, dynamic link to the wrap library can be determined to accept control.
2. Strings 'which command '| grep hosts: You can also check whether the receiving control is enabled. However, its display is like this. There should be a file starting with hosts.
If/etc/hosts. Allow and/etc/hosts. Deny are displayed, it supports TCP Wrapper for access control.
In fact, the control of TCP Wrapper is implemented in this way.
Access is generally allowed as long as it is written in/etc/hosts. Allow. access is denied if it is written in/etc/hosts. Deny.
3How does one check when a client arrives?
First check our/etc/hosts. allow checks whether the file has exactly matched entries. If yes, access the file directly. If not, check the deny file. If the deny file exists, access is explicitly denied, otherwise, it is allowed by default when both files do not match.
4. How to define access control:
Format: daemon_list: client_list [: Options}
Process: client list [: Option]
4.1 process representation: The process name cannot be specified here. The Executable File Name of the process must be specified.
4.1.1. It can be the name of a single Executable File
Vsftpd: 192.168.0.
4.1.2. It can be a list of multiple services
Vsftpd, sshd, In. telnetd:
4.1.3. The wildcard "all" can be used to indicate all
ALL:
4.1.4. Only a service limitation on a specific address
Vsftpd@192.168.0.186
When implementing control over a specific service, other services dependent on this service must also be able to serve.
4.2 How to define the client list
4.2.1. A single IP address can be used
IP
4.2.2. You can also use the network address
4.2.2.1: The netmask must be in long format. Network/mask: The length format cannot be used. Only the full IP address format can be used.
4.2.2.2: a network address similar to 172. 16 is automatically recognized as 172.16.0.0/255.255.0.0.
4.2.3: the host name can be used, for example, hostname.
4.2.3.1: single host name FQDN can be used
4.2.3.2: The domain name can be used, for example, .a.org, which indicates all hosts in the.org domain.
4.2.4: common macro definitions can be used:
ALL: indicates all hosts/all services
Local: local host, host without domain name, non-FQDN host name format
Known, unknown all hosts that can be parsed, hosts that cannot be parsed
Paranoid: host with unmatched forward/reverse resolution
Except XX host
4.3 example:
How to Control vsftpd access:
Define deny 172.16.100.100 to access vsftpd
Vim/etc/hosts. Deny
Vsfptd: 172.16.100.100
Note that it takes effect immediately
Only 172.16 CIDR blocks are allowed.
Vim/etc/hosts. Allow
Vsftpd: 172.16.
Vim/etc/hosts. Deny
Vsftpd: All
4.4: Use of memory T: Deactivating ......
Defines that only 172.16.0.1 is allowed for access.
Vim/etc/hosts. Deny
In. delnetd: All records t 172.16.0.1
4.5: defined options:
: Spawn: Initiate a command
% U: User Name
% A: client name
% A: indicates the server name.
% D: Service name
Use spawn to define logs:
Any user attempts to log on to telnet
In. delnetd: All records t 172.16.0.1: spawn/bin/ECHO "login attempt ('date') % u from % A attempt to login %, the daemon is % d ">/var/log/telnet. log
: Allow: allowed in rejection
Only access from CIDR Block 172.16.0.0 is allowed.
Vim/etc/hosts. Deny
In. telnetd: 172.16.: Allow
ALL: All
: Deny: deny allowed
Vim/etc/hosts. Allow
In. delnetd: 172.16.: deny
Telnet on the local machine will never be accessed by anyone. However, 172. 16. network segment is allowed, but access to 172.16.100.100 is also rejected.
Rejecting:
ALL: all limits t 172.16. Limits t 172.16.100.100