How Linux prevents access to specific IP addresses

Source: Internet
Author: User

Linux system, if you need to prohibit specific IP address access to ensure the security of the system, simply through the operation of Iptalbes to achieve, the following small set to introduce how Linux to prohibit an IP address access, interested friends can come to understand the next.


I. Overview

These two files are TCPD server configuration files, and TCPD servers can control the access of external IP to native services. The two configuration files are formatted as follows:

#服务进程名: Host list: Optional command action when rule matches

Server_name:hosts-list[:command]

/etc/hosts.allow control can access the IP address of this computer,/etc/hosts.deny control prohibit access to native IP. If two files have conflicting configurations, take/etc/hosts.deny.

/etc/hosts.allow and/etc/hosts.deny Two files are settings that control remote access by allowing or denying access to a service to Linux by a client of an IP or IP segment.

For example, SSH service, we are usually only open to administrators, then we can disable the unnecessary IP, and only open the IP segment that the administrator may use.

Second, the configuration

1. Modify/etc/hosts.allow File

#

# Hosts.allow This file describes the names of the hosts which are

# allowed to with the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

Sshd:210.13.218.*:allow

Sshd:222.77.15.*:allow

all:218.24.129.110 #表示接受110这个ip的所有请求!

in.telnetd:140.116.44.0/255.255.255.0

in.telnetd:140.116.79.0/255.255.255.0

in.telnetd:140.116.141.99

In.telnetd:LOCAL

smbd:192.168.0.0/255.255.255.0 #允许192.168.0. IP Access SMBD services for network segments

#sendmail: 192.168.1.0/255.255.255.0

#pop3d: 192.168.1.0/255.255.255.0

#swat: 192.168.1.0/255.255.255.0

Pptpd:all EXCEPT 192.168.0.0/255.255.255.0

Httpd:all

Vsftpd:all

The above wording is to allow 210 and 2,222 IP segments to connect the SSHD service (this will necessarily need to hosts.deny this file with the use), of course: Allow can be omitted entirely.

All key words match all cases, except match in addition to some items, paranoid match the IP address you want to control and its domain name mismatch (domain name camouflage).

2. Modify/etc/hosts.deny File

#

# Hosts.deny This file describes the names of the hosts which are

# *not* allowed to with the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

# The Portmap line is redundant, but it are left to remind

# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular

# You should know that NFS uses portmap!

Sshd:all:deny

In.telnet:ALL

All:all EXCEPT 192.168.0.1/255.255.255.0,192.168.1.21,

202.10.5.0/255.255.255.0

Note: Sshd:all:deny indicates that all sshd remote connections have been rejected. : Deny can be omitted.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.