How Linux prevents access to specific IP addresses

Linux system, if you need to prohibit specific IP address access to ensure the security of the system, simply through the operation of Iptalbes to achieve, the following small set to introduce how Linux to prohibit an IP address access, interested friends can come to understand the next.

I. Overview

These two files are TCPD server configuration files, and TCPD servers can control the access of external IP to native services. The two configuration files are formatted as follows:

#服务进程名: Host list: Optional command action when rule matches

Server_name:hosts-list[:command]

/etc/hosts.allow control can access the IP address of this computer,/etc/hosts.deny control prohibit access to native IP. If two files have conflicting configurations, take/etc/hosts.deny.

/etc/hosts.allow and/etc/hosts.deny Two files are settings that control remote access by allowing or denying access to a service to Linux by a client of an IP or IP segment.

For example, SSH service, we are usually only open to administrators, then we can disable the unnecessary IP, and only open the IP segment that the administrator may use.

Second, the configuration

1. Modify/etc/hosts.allow File

#

# Hosts.allow This file describes the names of the hosts which are

# allowed to with the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

Sshd:210.13.218.*:allow

Sshd:222.77.15.*:allow

all:218.24.129.110 #表示接受110这个ip的所有请求!

in.telnetd:140.116.44.0/255.255.255.0

in.telnetd:140.116.79.0/255.255.255.0

in.telnetd:140.116.141.99

In.telnetd:LOCAL

smbd:192.168.0.0/255.255.255.0 #允许192.168.0. IP Access SMBD services for network segments

#sendmail: 192.168.1.0/255.255.255.0

#pop3d: 192.168.1.0/255.255.255.0

#swat: 192.168.1.0/255.255.255.0

Pptpd:all EXCEPT 192.168.0.0/255.255.255.0

Httpd:all

Vsftpd:all

The above wording is to allow 210 and 2,222 IP segments to connect the SSHD service (this will necessarily need to hosts.deny this file with the use), of course: Allow can be omitted entirely.

All key words match all cases, except match in addition to some items, paranoid match the IP address you want to control and its domain name mismatch (domain name camouflage).

2. Modify/etc/hosts.deny File

#

# Hosts.deny This file describes the names of the hosts which are

# *not* allowed to with the local INET services, as decided

# by the '/USR/SBIN/TCPD ' server.

#

# The Portmap line is redundant, but it are left to remind

# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular

# You should know that NFS uses portmap!

Sshd:all:deny

In.telnet:ALL

All:all EXCEPT 192.168.0.1/255.255.255.0,192.168.1.21,

202.10.5.0/255.255.255.0

Note: Sshd:all:deny indicates that all sshd remote connections have been rejected. : Deny can be omitted.