In Linux, set hosts. Allow and hosts. Deny to shield IP addresses.

These two files are the configuration files of The tcpd server. The tcpd server can control access to the local service by external IP addresses. The two configuration files are in the following format:

# Service process name: Host list: optional command operation when the rule matches

SERVER_NAME: hosts-list [: Command]

/Etc/hosts. Allow controls access to the local IP address, and/etc/hosts. Deny controls prohibit access to the local IP address. If the configurations of the two files conflict, use/etc/hosts. Deny.

/Etc/hosts. allow and/etc/hosts. deny files are used to control remote access settings. They allow or deny users of an IP address or IP segment to access a service in Linux.

For example, for the SSH service, we usually only open it to the Administrator, so that we can disable unnecessary IP addresses and only open the IP segments that the Administrator may use.

1. Modify the/etc/hosts. allow file

#

# Hosts. Allow this file describes the names of the hosts which are

# Allowed to use the local Inet services, as decided

# By the '/usr/sbin/tcpd' server.

#

Sshd: 210.13.218. *: Allow

Sshd: 222.77.15. *: Allow

ALL: 218.24.129.110 # accept all requests from the IP address 110!

In. telnetd: 140.116.44.0/255.255.255.0

In. telnetd: 140.116.79.0/255.255.255.0

In. telnetd: 140.116.141.99

In. telnetd: Local

Smbd: 192.168.0.0/255.255.255.0 # Allow IP addresses of the 192.168.0. network segment to access the smbd service

# Sendmail: 192.168.1.0/255.255.255.0

# PoP3D: 192.168.1.0/255.255.255.0

# SWAT: 192.168.1.0/255.255.255.0

Pptpd: All requests t 192.168.0.0/255.255.255.0

Httpd: All

Vsftpd: All

The above Code allows two IP segments 210 and 222 to connect to the sshd service (this must be used together with the hosts. deny file). Of course, allow can be omitted.

The "all" keyword matches all the situations. The "Deny t" matches all except some items. The "Paranoid" matches the IP address you want to control and the domain name does not match (the domain name is disguised.

2. Modify the/etc/hosts. deny file

#

# Hosts. deny this file describes the names of the hosts which are

# ** Not * allowed to use the local Inet services, as decided

# By the '/usr/sbin/tcpd' server.

#

# The Portmap line is redundant, but it is left to remind you that

# The New Secure Portmap uses hosts. Deny and hosts. Allow. In particle

# You shoshould know that NFS uses Portmap!

Sshd: All: deny

In. telnet: All

ALL: All privileges t 192.168.0.1/255.255.255.0, 192.168.1.21 ,\

202.10.5.0/255.255.255.0

Note: sshd: All: deny indicates that all sshd remote connections are rejected. : Deny can be omitted.

3. Start the service

Note:

# Service xinetd restart

To make the change take effect.

**************************************** **************************************** ******************

**************************************** **************************************** ******************

Hosts. Allow and hosts. Deny

Both files are in the/etc/directory.

Check hosts. Deny first, then check hosts. allow,

The latter can be set beyond the former limit,

For example:

1. restrict all SSH,

Unless it comes from 218.64.87.0 -- 127.

Hosts. Deny:

In. sshd: All

Hosts. allow:

In. sshd: 218.64.87.0/255.255.255.255.128

2. disable telnet of 218.64.87.0 -- 127

Hosts. Deny

In. sshd: 218.64.87.0/255.255.255.255.128

3. restrict all TCP connections, unless accessed from 218.64.87.0 -- 127

Hosts. Deny

ALL: All

Hosts. Allow

ALL: 218.64.87.0/255.255.255.255.128

4. Restrict 218.64.87.0 -- 127 access to all services

Hosts. Deny

ALL: 218.64.87.0/255.255.255.255.128

The front of the colon is the name of the tcp daemon service process.

The process is specified in/etc/inetd. conf, such as in. ftpd, In. telnetd, In. sshd.

The IP address range is written in the following three ways:

1. network address-subnet mask mode:

218.64.87.0/255.255.255.0

2. network address method (I call it myself, haha)

218.64. (IP addresses starting with 218.64)

3. scale down the subnet mask. The number of "1" in front of the two-digit subnet mask is as follows:

218.64.87.0/255.255.255.0 =====218.64.87.0/24