Tcp_wrappers is a software used to analyze TCP/IP packets, similar IP packet software and iptables,linux installed this software by default, as a secure system, Linux itself has two layers of security firewall, Through the IP filtering mechanism of iptables to achieve the first layer of protection, iptables firewall through intuitive monitoring of the operation of the system, blocking some malicious attacks in the network, to protect the entire system normal operation, from attack and destruction. If you pass the first layer of protection, then the next layer of protection is tcp_wrappers, through the tcp_wrappers can achieve some of the services provided in the system to open and close, allow and prohibit, so as to more effectively ensure the system safe operation.
The use of tcp_wrappers is simple, with just two profiles:/etc/hosts.allow and/etc/hosts.deny
1. See if the system has Tcp_wrappers installed
[root@localhost ~] #rpm-Q tcp_wrappers
Tcp_wrappers-7.6-40.7.el5
Or
[root@localhost ~] #rpm-qa | grep TCP
Tcpdump-3.9.4-15.el5
Tcp_wrappers-7.6-40.7.el5
If there is a similar output above, the system already has the Tcp_wrappers module installed. If it is not, it may not be installed, you can find the corresponding RPM package from the Linux system installation disk to install.
2. Rules set by Tcp_wrappers
The implementation of the Tcp_wrappers firewall is done through the/etc/hosts.allow and/etc/hosts.deny two files
The file format is:
Services list: Host list: Options
1. The list of services is the name of the service to support, for example: Telnet, vsftpd, and so on.
2. Host list set up the controlled machine. This can be a machine name, a host IP, or a wildcard character (* or?). ) or all and except.
3. Options are the actions we want to control. After the service and the client are in line, then the real action is the option.
1) ALLOW Accept the connection request. 2 Deny connection request.
For example: Only allow vsftp login in 118.126.3.222
(note here about the VSFTP configuration file vsftpd.conf
Tcp_wrappers=yes
This allows vsftp to access control of the VSFTP server through the tcp_wrappers mechanism. )
Input Vim/etc/hosts.allow
Edit Vsftpd:118.126.3.222:allow
Indicates that a 118.126.3.222VSFTP connection is allowed
Input Vim/etc/hosts.deny
Edit Vsftpd:all
Indicates that all VSFTP connections are denied
In general, Linux will first Judge/etc/hosts.allow this file, if the remote login computer to meet the file/etc/hosts.allow settings, it will not be used/etc/ Hosts.deny file, on the contrary, if you do not meet the rules of Hosts.allow file set, you will use the Hosts.deny file, if the Hosts.deny rules, this host is limited to access to the Linux server, if it does not meet the Hosts.deny settings, This host can access the Linux server by default.
TCP Wrappers method of blocking IP address
1. Introduction to the basic knowledge of TCP Wapper
Tcp_wapper is a popular free software in Solaris, Hp_ux, and Linux. It is designed as an intermediate processing software that is in response to external service requests and system services. The most common use is with inetd. When inetd receives a foreign service request, it is not a direct call, but rather a call to the TCP wrapper (executable TCPD), which the TCP wrapper determines whether the other person has permission to use the service based on the requested service and the access control rules tailored to the service. If so, TCP wrapper transfers the request to the appropriate daemon by following the rules defined by the configuration file, and then waits for the next request to be processed.
The main purpose of the TCP wrapper mechanism is that the request from the client is only allowed to communicate directly with a separate daemon (xinetd), and the target service it requests is wrapped by TCP wrapper, which improves the security of the system and the convenience of system management. As the application becomes a standard UNIX security tool, TCP wrapper becomes a plug-in for the Unix daemon inetd. Through TCP wrapper, administrators can set up the various services provided by inetd to monitor and filter to ensure the security of the system.
2. TCP Wapper Source code acquisition, compilation and installation
Since it is already ubiquitous in Solaris, Hp_ux, and Linux, and rarely used on Tru 64, here's a detailed description of my machine's operating system version: Tru 4.0F
(1) Download Source Address: (annex 1)
(2) Decompression
#gunzip tcp_wrappers_7.6.tar.gz
#tar XVF Tcp_wrappers_7.6.tar
(3) Compile the source code program
# Make Real_daemon_dir=/usr/sbin Hpux
The last parameter is HPUX, you can make adjustments based on your operating system, and I use this instead of Dec. The resulting primary files are then copied to the appropriate system directory.
#cp Tcpd/usr/sbin
#cp Safe_finger/usr/sbin
#cp Tcpdchk/usr/sbin
#cp Tcpdmatch/usr/sbin
#cp Try-from/usr/sbin
#cp HOSTS_ACCESS.3/USR/MAN/MAN3
#cp Hosts_access.5/usr/man/man5
#cp Hosts_options.5/usr/man/man5
#cp TCPD.8/USR/MAN/MAN8
#cp TCPDCHK.8/USR/MAN/MAN8
#cp TCPDMATCH.8/USR/MAN/MAN8
#cp Libwrap.a/usr/lib
#cp Tcpd.h/usr/include
which
(1) TCPD is the primary access control daemon for all Internet services and is used when running inetd or xinetd instead of running a separate service daemon.
(2) Tcpdchk a check TCPD wrapper settings and provide error messages.
(3) Tcpdmatch is used to foresee special requests for TCP wrapper how to control a service.
(4) Try-from can use the remote shell command to find the host name and address is not correct.
(5) Safe_finger is the wrapper of the finger tool, providing automatic host name reverse lookup.
3. How to put the service into the control state
You know inetd, also called "Super Server", is to monitor some network request daemon, which calls the corresponding service process according to the network request to process the connection request. Inetd.conf is the inetd configuration file. The inetd.conf file tells inetd which network ports to monitor and which service to start for each port. If we want to telnet, ftp to TCPD control, need to modify/etc/inetd.conf.
Prior to modification:
FTP stream TCP nowait root/usr/sbin/ftpd ftpd
Telnet stream TCP nowait root/usr/sbin/telnetd telnetd
Modified to:
FTP stream TCP nowait ROOT/USR/SBIN/TCPD ftpd
Telnet stream TCP nowait ROOT/USR/SBIN/TCPD telnetd
Please remember to restart the process after you have finished modifying it
# vi/etc/inetd.conf
# Ps-ef|grep inetd
Root 53872 1 0.0 10:37:52?? 0:00.00/usr/sbin/inetd
Root 53873 53872 0.0 10:37:52?? 0:00.01-child (inetd)
Root 54243 53896 0.3 11:04:58 pts/0 0:00.02 grep inetd
# Kill 53872 53873
#/USR/SBIN/INETD4, use TCP wrappers to restrict access configuration
In order to configure TCP wrappers, users need to accept or reject the criteria for the connection in two files:/etc/hosts.allow and/etc/hosts.deny. The previous file defines the access allowed by the computer, and the latter specifies the connection that should be rejected. Hosts.allow is preferred if a system appears in two files at the same time. If a system does not appear in any of the files, TCP wrappers will allow it to connect. In addition, if the most restrictive TCP wrappers is secure, the user can include a row of "All:all" in the/etc/hosts.deny file force, which disables all input access handled by the TCP wrappers. The user can then open the port of the service program for a particular client in/etc/hosts.allow.
The format of/etc/hosts.allow and/etc/hosts.deny is exactly the same, and of course the same project has the opposite effect in two files. The basic formats for these projects are:
Service-names:client-list [: Shell-command]
Please see the following two files
# Vi/etc/hosts.deny
All:all
(Note: Prohibit input access for all TCP wrappers processing)
# Vi/etc/hosts.allow
telnetd:10.65.69.157 10.65.70.
ftpd:10.65.69. EXCEPT 10.65.69.1
(Note: The Telnet telnetd line tells the TCP wrappers to accept the Telnet connection from the 10.65.69.157 machine and 10.65.70 segment.)
The FTP ftpd tells the TCP wrappers to accept FTP connections from all computers except 10.65.69.1 in the 10.65.69 network segment. Perhaps 10.65.69.1 is a road ranger or other host that should not be an FTP client, and modifying these two files without restarting the XINETD process will take effect directly. )
5, the detection method
Detect Tcp_wrapper is normal work
----my own settings----# TCPDCHK-V
Using Network configuration file:/etc/inetd.conf>>> Rule/etc/hosts.allow Line 1:
Daemons:ftpd
clients:10.1.20.76
Access:granted>>> Rule/etc/hosts.allow Line 2:
Daemons:telnetd
clients:10.1.20.76 10.1.20.
Access:granted>>> Rule/etc/hosts.deny Line 1:
Daemons:telnetd
clients:10.1.20.100
Warning:/etc/hosts.deny, line 1:host address 135.129.24.100->name lookup failed
Access:denied>>> Rule/etc/hosts.deny Line 2:
Daemons:ftpd
clients:10.1.20.100
Warning:/etc/hosts.deny, line 2:host address 135.129.24.100->name lookup failed
Access:denied>>> Rule/etc/hosts.deny Line 3:
Daemons:all
Clients:all
Access:denied
# 6, concluding remarks
Described above is only a few simple TCP wrapper features, it also provides a number of other features, some features can achieve very fine results, therefore, the need for this aspect of users, should carefully review the TCP wappers control file format of the official document to achieve their own functions, To ensure the security of the system.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.