Linux self-study note--tcp Wrapper

Tcp_wrapper : The TCP wrapper, a free software developed by Wieste Venema designed to provide firewall services to Unix/linux servers, enables system administrators to record and control wrappers support for TCP-based service or daemon access.

tcp_wrappers is used to assist rather than replace NetFilter, because tcp_wrappers work in the application layer, while NetFilter work in the network layer;

Library files: libwrap.so

/etc/hosts.allow,/etc/hosts.deny

A method for determining whether a service can be accessed by Tcp_wrapper:

1) dynamic compilation: LDD command;

LDD $ (which COMMAND) | LibWrap

2) static compilation: The Strings command looks at the application files and whether the Hosts.allow and Hosts.deny files appear in the results;

The service completes the access control process based on LibWrap:

First check that the/etc/hosts.allow file has no explicit authorization to the current requestor access;

is: Direct authorization of client access;

No: Then go to check whether the/etc/hosts.deny file explicitly denies the current requestor access;

is: Directly deny access to the current requestor;

No: Allow the requestor to access;

configuration file Syntax:

daemon_list : client_list [: Options]

daemon_list :

s) The file name of a single application, not the service name;

2) comma-delimited list of application file names;

Example: SSHD,VSFTPD

3) All: Any program that accepts Tcp_wrapper control;

client_list :

Ip address;

host name;

Network address: Must use the mask of completion format, cannot use prefix format mask;

Short Format network address: For example 172.16. Indicates 172.16.0.0/255.255.0.0

All : all hosts;

known : Host name that can be parsed

UNKNOWN : Unable to resolve host name

PARANOID : The host name and IP address are not matched by their respective positive and negative parsing results

EXCEPT : Except

: Options

Deny : Reject, primarily for hosts.allow files

Allow : Allow, mainly for hosts.deny files;

Spawn : Launches the specified application;

vsftpd : All:spawn/bin/echo $ (date) login attempt from%c to%s,%d >>/var/log/vsftpd.deny.log

%c : Client IP

%s : [email protected] IP

%d : Daemon name

Example: VSFTPD is only open to host access in 192.168.19.0/255.255.255.0;

sshd only open to host access in 192.168.19.0/255.255.255.0, but does not include 192.168.19.130

All denied access attempts are recorded in the/var/log/service.deny.log file;

1) contents of the/etc/hosts.allow file:

2) contents of the Tc/hosts.deny file:

3) testing;

First, the host test with IP address is 192.168.19.134;

Re-use 192.168.19.130 host test;

4) view logs;

Linux self-study note--tcp Wrapper