Several ways Linux prohibits access to an IP address

I. Overview

These two files are TCPD server configuration files, and TCPD servers can control the access of external IP to native services. The two configuration files are formatted as follows:

#服务进程名: Host list: Optional command action when rule matches
Server_name:hosts-list[:command]
/etc/hosts.allow control can access the IP address of this computer,/etc/hosts.deny control prohibit access to native IP. If two files have conflicting configurations, take/etc/hosts.deny.

/etc/hosts.allow and/etc/hosts.deny Two files are settings that control remote access by allowing or denying access to a service to Linux by a client of an IP or IP segment.
For example, SSH service, we are usually only open to administrators, then we can disable the unnecessary IP, and only open the IP segment that the administrator may use.

Second, the configuration

1. Modify/etc/hosts.allow File
#
# Hosts.allow This file describes the names of the hosts which are
# allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
Sshd:210.13.218.*:allow
Sshd:222.77.15.*:allow

all:218.24.129.110 #表示接受110这个ip的所有请求!

in.telnetd:140.116.44.0/255.255.255.0
in.telnetd:140.116.79.0/255.255.255.0
in.telnetd:140.116.141.99
In.telnetd:LOCAL
smbd:192.168.0.0/255.255.255.0 #允许192.168.0. IP Access SMBD services for network segments

#sendmail: 192.168.1.0/255.255.255.0
#pop3d: 192.168.1.0/255.255.255.0
#swat: 192.168.1.0/255.255.255.0
Pptpd:all EXCEPT 192.168.0.0/255.255.255.0
Httpd:all
Vsftpd:all

The above wording is to allow 210 and 2,222 IP segments to connect the SSHD service (this will necessarily need to hosts.deny this file with the use), of course: Allow can be omitted entirely.

All key words match all cases, except match in addition to some items, paranoid match the IP address you want to control and its domain name mismatch (domain name camouflage).

2. Modify/etc/hosts.deny File

#
# Hosts.deny This file describes the names of the hosts which are
# *not* allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
# The Portmap line is redundant, but it are left to remind
# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular
# You should know that NFS uses portmap!
Sshd:all:deny

In.telnet:ALL

All:all EXCEPT 192.168.0.1/255.255.255.0,192.168.1.21,
202.10.5.0/255.255.255.0

Note: Sshd:all:deny indicates that all sshd remote connections have been rejected. :d Eny can be omitted.

3, start the service
Note After the modification:
#service xinetd Restart
In order for the changes to take effect.

Requirements: Use Hosts.deny to restrict user login via SSH

Join in the/etc/hosts.deny

Sshd:all

Join in the/etc/hosts.allow

Sshd:all #拒绝所有的ip链接ssh服务

Try to link to the server on another server, but find the link is still normal

Continue to find problems, and learned from the Internet,/etc/hosts.allow and/etc/hosts.deny only swap with the tcp_wrappers only function. If the source code compiled, see whether the compile-time search for libwrap.so

Under the effect machine, execute the following command:

[Root@zt ~]# ldd/usr/sbin/sshd | grep libwrap.so

libwrap.so.0 =>/lib64/libwrap.so.0 (0x00002ba28edcc000)

Without the effect of the machine, but can not find libwrap.so

To execute on a machine that is in effect:

rpm-qf/lib64/libwrap.so.0 results are as follows:

Tcp_wrappers-7.6-40.7.el5

On machines that are not in effect

Yum Install-y tcp_wrappers

After installation, use Ldd/usr/sbin/sshd | grep libwrap.so still no content

On the machine that does not take effect, continue

Yum list |grep OpenSSH results:

openssh.x86_64 5.3p2-24.el5 Installed

openssh-clients.x86_64 5.3p2-24.el5 Installed

openssh-server.x86_64 5.3p2-24.el5 Installed

openssh.x86_64 5.3p2-41.el5_5.1 Updates

openssh-askpass.x86_64 5.3p2-41.el5_5.1 Updates

openssh-clients.x86_64 5.3p2-41.el5_5.1 Updates

openssh-server.x86_64 5.3p2-41.el5_5.1 Updates

So, execute:

Yum Update-y OpenSSH

Execute again:

ldd/usr/sbin/sshd | grep libwrap.so

There are results that show.

Other servers are linked to the server, and the following error is reported

Ssh_exchange_identification:connection Closed by remote host

Another, is also commonly used Iptalbes to restrict IP access to the site

Allow only one IP access server specified
Vi/etc/sysconfig/iptables

*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]

-A input-s 165.232.121.17-j ACCEPT
-A input-j DROP
COMMIT

If your previous firewall is set to permanently shut down, you need to remove

Chkconfig--list View Boot service, find the service name you want to turn off
Chkconfig--level 235 Service name off "at level 3 and 5 for boot service"
The system runs at a level of 0-6, just 0-6 in/etc/inittab.

Level 0 means: the shutdown

Level 1: Single user mode

Level 2 means: Multi-user command-line mode with no network connection

Level 3 means: Multi-user command-line mode with network connections

Level 4 indicates: Not available

Level 5 means: Multi-user mode with graphical interface

Level 6 says: Reboot 2011/10/26



================ below are extracts ====================

Another attack on the server, there is no way to prevent, here is a simple introduction to restrict the specified IP access method.
The command for a single IP is
Iptables-i input-s 59.151.119.180-j DROP

The command for the IP segment is
Iptables-i input-s 211.1.0.0/16-j DROP
Iptables-i input-s 211.2.0.0/16-j DROP
Iptables-i input-s 211.3.0.0/16-j DROP

The order of the entire paragraph is
Iptables-i input-s 211.0.0.0/8-j DROP

The order to seal a few paragraphs is
Iptables-i input-s 61.37.80.0/24-j DROP
Iptables-i input-s 61.37.81.0/24-j DROP

Server startup self-running
There are three methods:
1, add it to the/etc/rc.local.
2, Vi/etc/sysconfig/iptables can put your current iptables rules into the/etc/sysconfig/iptables, the system starts iptables automatic execution.
3, service Iptables save can also put your current iptables rules in/etc/sysconfig/iptables, the system starts iptables automatic execution.
The latter two better this, the general Iptables service will be in the Network service before the start, more secure

To solve the letter:
Iptables-l INPUT
Iptables-l--line-numbers then iptables-d INPUT serial number

Iptables Restrict IP Access
Restrict access via iptables to Port 9889 (only 192.168.1.201, 192.168.1.202, 192.168.1.203), and no other IP
Iptables-i input-p TCP--dport 9889-j DROP
Iptables-i input-s 192.168.1.201-p TCP--dport 9889-j ACCEPT
Iptables-i input-s 192.168.1.202-p TCP--dport 9889-j ACCEPT
Iptables-i input-s 192.168.1.203-p TCP--dport 9889-j ACCEPT

Note that the order of commands cannot be reversed.