Tcpwrapper is based on tcpd process access control. this is a mechanism that is simpler than iptables to set access control. it only needs to be in/etc/hosts. allow and/etc/hosts. you can simply set the two deny files to implement certain access control policies. This access...
Tcp wrapper access control based on tcpd process
This is a mechanism that is simpler than iptables to set access control.
Perform simple settings in the/etc/hosts. allow and/etc/hosts. deny files.
To implement certain access control policies.
There are two requirements for this access control. First, you must accept the tpc wrapper
Control, followed by the tcp protocol.
View the library files on which the service depends
Ldd 'which command' if it depends on the libwrap library file, the tcp wrapper control can be explained.
String 'which command' as long as the/etc/hosts. allow and/etc/hosts. deny files appear
It indicates that the libwrap Library is connected, and tcp wrapper control is also accepted.
Eg: [root @ mail ~] # Ldd 'which vsftpd '| grep libwrap
Libwrap. so.0 =>/lib/libwrap. so.0 (0x00110000)
First, you need to understand the hosts. allow and hosts. deny files. The rules are in these two files.
Define, one is deny, and the other is Allow. The system will find matching entries in these two files.
The sequence is as follows: hosts. allow --> hosts. deny. if none of them exist, it is allowed by default.
The two files are in the following format:
Daemon_list: client_list [: options]
Eg: vsftpd: 192.168.1.100 // disable ftp service for 1.100 of hosts
Commonly used daemon_list formats include the following:
If there are multiple processes in vsftpd, sshd, in. tlenetd, they are separated by commas (,).
ALL
Vsftpd@192.168.1.100 // specifies the process for the specified address
The client_list format is as follows:
IP
NETWORK
Eg: 192.168.1.0/255.255.255.0 or 192.168.1.
HOSTNAME
FQDN eg: mail.luowe.com
.A.org
MACRO
ALL
LOCAL Host
Hosts that can be parsed by KNOWN
UNKNOWN cannot be parsed
PARANOID can be parsed and cannot be matched.
EXCEPT t
Options
Spawn
Example:
In. telnetd: ALL records T 172.16.100.1: spawn echo "Login attempt ('data') % u from % a attempt to login %, the daemon is % d ">/var/log/telnet. log
Little telnet knowledge:
Telnet is a remote logon service and a non-independent daemon process. it is managed by the super daemon process.
Install the telnet service
# Yum install telnet-server
The default settings for telnet in/etc/xinted. d/telnet are as follows:
# Vim/etc/xinted. d/telnet modify the content
Disable = no
# Service xinetd restart
By default, telnet does not allow the root user to log on directly, but uses the common user su.
This article is from the "IT dream-Qi-sharing" blog