Linux Operations Phase III (12) TCP Wrapper

<span id="Label3"></p><p style="text-align:center;"><p style="text-align:center;"><span style="font-size:18px;color:#2C2C2C;background:#FFFFFF;">Linux</span> <span style="font-size:18px;font-family:‘宋体‘;color:#2C2C2C;background:#FFFFFF;">operation and Maintenance</span> <span style="font-size:18px;font-family:‘宋体‘;color:#2C2C2C;background:#FFFFFF;">Phase III</span> <span style="font-size:18px;font-family:‘宋体‘;color:#2C2C2C;background:#FFFFFF;">(12)</span> <span style="font-size:18px;color:#2C2C2C;background:#FFFFFF;">TCP Wrapper</span></p></p><p><p></p></p><p><p>TCP Wrapper</p></p><p><p>TCP wrapper (an <span style="font-family:‘宋体‘;">access Control tool that</span> <span style="font-family:‘宋体‘;">works in</span> the TCP layer, usually only <span style="font-family:‘宋体‘;">controls the application of the TCP protocol, which itself is just a library file</span> libwrap.so<span style="font-family:‘宋体‘;">(by</span> glibc <span style="font-family:‘宋体‘;"> PROVIDED))</span></p></p><p><p><span style="font-family:‘宋体‘;">when a request from a client accesses the native service, the request arrives at the native network card, then to the kernel</span> TCP/IP <span style="font-family:‘宋体‘;">Protocol stack, routing discovery is to access the local computer, go to the User space service listening on the socket, the service response to the kernel</span> TCP/IP <span style="font-family:‘宋体‘;">stack, and then routed through the network card back to the client; with</span> TCP wrapper <span style="font-family:‘宋体‘;">, In this process, a layer of access control mechanism is attached,</span> the TCP wrapper <span style="font-family:‘宋体‘;">check whether the user access to the request is allowed, if allowed to the user space service, otherwise on the</span> TCP wrapper <span style="font-family:‘宋体‘;">refused to reach the user space service, it can be understood as </span>TCP wrapper <span style="font-family:‘宋体‘;">A check filtering mechanism between a user request and a socket that the service listens on to intercept requests for access to a particular service and determine whether to allow access to the specified service based on predefined rules</span></p></p><p><p><span style="font-family:‘宋体‘;">when an application is developed, the developer provides a calling interface in the program that can invoke</span> the libwrap.so <span style="font-family:‘宋体‘;">library, which is controlled by</span> the TCP wrapper access, <span style="font-family:‘宋体‘;">Otherwise it is not controlled</span> by the Program.</p></p><p><p></p></p><p><p>#ldd ' which sshd ' | grep libwrap<span style="font-family:‘宋体‘;">(</span>print sharedlibrary dependencies<span style="font-family:‘宋体‘;">, check if a program</span> is controlled by TCP wrapper <span style="font-family:‘宋体‘;">to see if there is a</span> libwrap.so.0 <span style="font-family:‘宋体‘;">this dynamic link library File)</span></p></p><p><p>libwrap.so.0 =/lib/libwrap.so.0 (0x00c7a000)</p></p><p><p><span style="font-family:‘宋体‘;">Note: when compiling a program, some library files can be compiled directly into the program (static compilation, static link), But this will make the program volume is too large, so many applications are usually dynamic link</span></p></p><p><p></p></p><p><p>#ldd ' which xinetd ' | grep libwrap</p></p><p><p></p></p><p><p>#ldd ' which portmap ' | grep libwrap<span style="font-family:‘宋体‘;">(although not found, but it</span> is controlled by Tcpwrapper <span style="font-family:‘宋体‘;">because it has</span> libwrap.so <span style="font-family:‘宋体‘;">library files statically compiled into the program</span> Portmap <span style="font-family:‘宋体‘;">)</span></p></p><p><p>#strings $ (ldd ' which Portmap ') | grep hosts</p></p><p><p>/etc/hosts.allow,/etc/hosts.deny<span style="font-family:‘宋体‘;">(these Two files are critical,</span>Tcpwrapper <span style="font-family:‘宋体‘;">is based on these two files to define which host access to certain services can be controlled)</span></p></p><p><p></p></p><p><p><span style="font-family:‘宋体‘;">Check the order: first check</span> /etc/hosts.allow<span style="font-family:‘宋体‘;">, if there is a match through</span> OK, if there is<span style="font-family:‘宋体‘;">no match, then check</span> /etc/hosts.deny<span style="font-family:‘宋体‘;">, there is a match to prohibit access to the set of services, If there is no match, then by default</span> , allow</p></p><p><p>650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/84/wKiom1Y7CAagdLjcAABPV3zmMZg915.jpg "title=" Three 12hosts.jpg "alt=" wkiom1y7caagdljcaabpv3zmmzg915.jpg "/></p></p><p><p><span style="font-family:‘宋体‘;">File Syntax format:</span></p></p><p><p>daemon_list:client_list[:options]</p></p><p><p>[email protected]: Client_list</p></p><p><p></p></p><p><p>Daemon_list <span style="font-family:‘宋体‘;">example:</span></p></p><p><p>Sshd:192.168.0. <span style="font-family:‘宋体‘;">(</span>daemon_list is the name of the executable <span style="font-family:‘宋体‘;">program, such as</span> sshd,vsftpd,in.telnetd<span style="font-family:‘宋体‘;">, which is</span> #rpm-ql telnet-server <span style="font-family:‘宋体‘;">query</span> usr/sbin/in.telnetd<span style="font-family:‘宋体‘;">)</span></p></p><p><p>All:192.168.0. <span style="font-family:‘宋体‘;">(</span> All <span style="font-family:‘宋体‘;">is a macro that indicates</span> that TCP wrapper <span style="font-family:‘宋体‘;">all the services that are under Control)</span></p></p><p><p><span class="__cf_email__" data-cfemail="780e0b1e0c081c3849414a56494e405648564949">[email protected]</span>: 1.<span style="font-family:‘宋体‘;">(represents</span> The VSFTPD service on the 192.168.0.11 <span style="font-family:‘宋体‘;">host</span> <span style="font-family:‘宋体‘;">, allowing only</span> 1.0.0.0 <span style="font-family:‘宋体‘;"> Host access to a network segment</span></p></p><p><p></p></p><p><p>Client_list <span style="font-family:‘宋体‘;">example:</span></p></p><p><p>Ip</p></p><p><p>NETWORK ADDRESS<span style="font-family:‘宋体‘;">(</span>network/mask<span style="font-family:‘宋体‘;">, note</span> that MASK <span style="font-family:‘宋体‘;">cannot be written in full length format, such as</span> 1.0.0.0/255.0.0.0<span style="font-family:‘宋体‘;">; only short format, abbreviated as</span> 1.0.0.0/8<span style="font-family:‘宋体‘;">)</span></p></p><p><p>HOSTNAME<span style="font-family:‘宋体‘;">(</span>FQDN<span style="font-family:‘宋体‘;">,</span>. magedu.com <span style="font-family:‘宋体‘;">Note that the preceding points are not less represented as</span> magedu.com <span style="font-family:‘宋体‘;">this field)</span></p></p><p><p><span style="font-family:‘宋体‘;">Macro (macros,</span> <span style="font-family:‘宋体‘;">all means all,</span> <span style="font-family:‘宋体‘;">Local represents the host on the same network segment</span>as the localhost, KNOWS indicates that the <span style="font-family:‘宋体‘;">hostname is parsed correctly,</span>UNKNOWN <span style="font-family:‘宋体‘;"> Indicates that the host name cannot be resolved,</span>PARANOID <span style="font-family:‘宋体‘;">indicates that the forward and backward parsing cannot be matched)</span></p></p><p><p></p></p><p><p>#whatis hosts_access</p></p><p><p>#man 5 hosts_access<span style="font-family:‘宋体‘;">(view supported MACROS)</span></p></p><p><p>%c<span style="font-family:‘宋体‘;">(</span>client information<span style="font-family:‘宋体‘;">, format</span> [email protected],[email protected]<span style="font-family:‘宋体‘;">)</span></p></p><p><p>%s<span style="font-family:‘宋体‘;">(</span>server information<span style="font-family:‘宋体‘;">, format</span> [email protected],[email protected]<span style="font-family:‘宋体‘;">)</span></p></p><p><p>%h<span style="font-family:‘宋体‘;">(</span>client hostname<span style="font-family:‘宋体‘;">)</span></p></p><p><p>%H<span style="font-family:‘宋体‘;">(</span>server hostname<span style="font-family:‘宋体‘;">)</span></p></p><p><p>%p<span style="font-family:‘宋体‘;">(</span>the daemon ProcessID<span style="font-family:‘宋体‘;">)</span></p></p><p><p></p></p><p><p><span style="font-family:‘宋体‘;">example:</span>sshd <span style="font-family:‘宋体‘;">allows only</span> 172.16.0.0/16 <span style="font-family:‘宋体‘;">access</span></p></p><p><p>#vim/etc/hosts.allow</p></p><p><p>sshd:172.16.</p></p><p><p>#vim/etc/hosts.deny</p></p><p><p>Sshd:all</p></p><p><p></p></p><p><p><span style="font-family:‘宋体‘;">example:</span>telnet <span style="font-family:‘宋体‘;">service does not allow</span> 172.16.0.0/16 <span style="font-family:‘宋体‘;">access, but allows</span> 172.16.100.200 <span style="font-family:‘宋体‘;">access, Other clients do not control</span></p></p><p><p><span style="font-family:‘宋体‘;">Method One:</span></p></p><p><p>#vim/etc/hosts.allow</p></p><p><p>in.telnetd:172.16.100.200</p></p><p><p>#vim/etc/hosts.deny</p></p><p><p>in.telnetd:172.16.</p></p><p><p><span style="font-family:‘宋体‘;">Method Two:</span></p></p><p><p>#vim/etc/hosts.deny</p></p><p><p>in.telnetd:172.16. EXCEPT 172.16.100.200</p></p><p><p><span style="font-family:‘宋体‘;">Method Three:</span></p></p><p><p>#vim/etc/hosts.allow</p></p><p><p>In.telnetd:ALL EXCEPT 172.16. EXCEPT 172.16.100.200</p></p><p><p>#vim/etc/hosts.deny</p></p><p><p>In.telnetd:ALL</p></p><p><p></p></p><p><p><span style="font-family:‘宋体‘;">example:</span>client_list[:options]</p></p><p><p>#vim/etc/hosts.allow</p></p><p><p>in.telnetd:172.16. :D eny<span style="font-family:‘宋体‘;">(disable</span> 172.16.0.0/16 <span style="font-family:‘宋体‘;">access</span> to Telnet<span style="font-family:‘宋体‘;">,</span> Write:D eny in an allow <span style="font-family:‘宋体‘;">file</span> <span style="font-family:‘宋体‘;">, or write in a</span> DENY <span style="font-family:‘宋体‘;">file </span>: Allow<span style="font-family:‘宋体‘;">)</span></p></p><p><p>#vim/etc/hosts.allow</p></p><p><p>in.telnetd:172.16. : SPAWN echo "' date ' Login attempt from%c to%s" >>/var/log/tcpwrapper.log</p></p><p><p>#vim/etc/hosts.deny</p></p><p><p>In.telnetd:ALL:SPAWN echo "' Date ' Login attempt from%h" >>/var/log/tcpwrapper.log</p></p><p><p></p></p><p><p></p></p><p><p><br></p></p><p><p></p></p><p><p><span style="font-family:‘宋体‘;">These are the notes that are taken in the course of Ma Yun-ge.</span></p></p><p><p></p></p><p><p></p></p><p><p></p></p><p><p><br></p></p><p><p>This article is from the "linux operation and maintenance of difficult learning notes" blog, declined reprint!</p></p><p><p>Linux Operations Phase III (12) TCP Wrapper</p></p></span>