Home > Developer > Mobile Develop

Tcp_wrappers TCP-Based security control

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Tcp_wrappers Introduction

Tcp_wrappers Full Name: Transmission Control Protocol (TCP) Wrappers

is a host-based Network access control table system for filtering network access to UNIX-like systems such as Linux or BSD.

It can be the host or subnet IP address, name and ident query reply as a filter tag, to achieve access control.

Tcp_wrappers Main Features

? TCP protocol working on Layer fourth (transport layer)

? Security detection and access control for specific services with stateful connections

? Implemented in library file format

? The control of whether a process accepts libwrap depends on whether the program initiating the process compiles at compile time for LibWrap

Determine if the program supports Tcp_wrapper

If the program calls the Libwrap.so library, it indicates support.

ldd 程序路径|grep libwrap.sostrings 程序路径|grep libwrap.so#ldd /usr/sbin/sshd|grep libwrap.so    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f9851678000)#ldd /usr/sbin/vsftpd |grep libwrap.so    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f802ef50000)#strings `which sshd`|grep libwrap.solibwrap.so.0
Use of Tcp_wrappers

TCP wrappers is a firewall-like mechanism that is implemented through both the/etc/hosts.allow and/etc/hosts.deny configuration files.

Configuration file

Help reference: Man 5 Hosts_access,man 5 hosts_options

configuration file Rule Definition
/etc/hosts.allow Allow access to rules
/etc/hosts.deny Deny access rule

Note: It is also possible to implement a rejection rule in the description document, which is not the focus of the discussion in terms of naming and management clarity guidelines.

Grammar 
daemon_list:client_list [: Shell_command]daemon_list The binary file name of a single application, not the service name, if there are multiple, separated by commas or spaces. such as SSHD,VSFTPD or sshd vsftpd can bind a service address, for example, [email protected]:all all means that all service programs that accept Tcp_wrapper control support the wildcard CLI Ent_list Client list? Based on a single IP address: 192.168.10.1? Based on network segment IP address: 192.168.1. Note that the 192.168.1.0 is wrong. Based on host name: Www.hunk.tech. Hunk.tech less use? Based on network/mask: 192.168.0.0/255.255.255.0? Based on NET/PREFIXLEN:192.168.1.0/24 (CentOS7 only)? Based on network group (NIS domain): @mynetwork?            Built-in acl:all all (process or host) hosts without points in LOCAL name known host names that can be resolved UNKNOWN unresolved host names PARANOID, reverse query mismatch, or cannot parse support wildcard Shell_command execution instructions such as: sshd:all:spawn echo "' Date +%%f-%%t ' from%a PID         =%p to%s ">>/app/sshd.logexcept is excluded, there can be more than one line of rules, followed by the exclusion of the preceding result set. vsftpd:172.16. EXCEPT 172.16.100.0/24 EXCEPT 172.16.100.1 match the entire 172.16 network segment, but the 172.16.100 of the network segment exclusion, in the exclusion of 172.16.100 network segment and the 172.16.100.1 of the IP to exclude. Spawn start an external program to perform operations that can support built-in variables。 Built-in variable please man, find the option%a (%a) Client IP%c client information, can be IP or hostname (if resolvable)%p server process information (PID)%s connected Server-side information percent when the rule contains%, use the double-escape twist special extension to execute with the specified command, ending the connection immediately after execution. Need to be used after spawn.
Example

The 2 test host network IP configurations used are as follows:

the abbreviation in this article Host IP 1 IP 2
6A 6-web-1.hunk.tech 192.168.7.201 192.168.5.102
7B 7-web-2.hunk.tech 192.168.7.202 192.168.5.103

The default Hosts.allow and Hosts.deny configuration files are empty, which means they are all allowed.

#ssh 192.168.7.202Last login: Thu Feb  8 11:04:58 2018 from 192.168.7.201

Deny an IP access:

7B:vim /etc/hosts.denysshd:192.168.7.2016A:#ssh 192.168.7.202ssh_exchange_identification: Connection closed by remote host配置规则保存后,立即生效7B:日志会明确记录#tail -n1 /var/log/secureFeb  8 11:18:29 7-web-2 sshd[1811]: refused connect from 192.168.7.201 (192.168.7.201)

What if a client_list exists in 2 files at the same time?

7B:tail -n1 /etc/hosts.deny >> /etc/hosts.allow 6A:#ssh 192.168.7.202Last login: Thu Feb  8 11:05:33 2018 from 192.168.7.201

See, is allowed to access, this involves the implementation of the processing mechanism.

Therefore, the result above is to allow access. Because the Hosts.allow has already been matched.

Allow only intranet IP access

假设192.168.7.202是7B的肉网卡地址,那么规则应该为:#vim /etc/hosts.deny[email protected]:ALL#ssh -b 192.168.7.201 192.168.7.202         > -b 是使用源地址为X.X.X.X访问bind: 192.168.7.201: Cannot assign requested addressssh: connect to host 192.168.7.202 port 22: Cannot assign requested address

Log each SSH login to a file

#vim /etc/hosts.allowsshd:all:spawn echo "`date +%%F-%%T` from %a pid=%p to %s" >> /app/sshd.log#cat /app/sshd.log2018-02-08-15:59:53 from 192.168.7.202 pid=2565 to [email protected]#ps aux |grep 2565root       2565  0.0  2.3 145696  5328 ?        Ss   15:59   0:00 sshd: [email protected]/2
Application examples

Write script/root/bin/checkip.sh, check every 5 minutes, if you find that the number of failed SSH login more than 10 times, automatically put this remote IP into Tcp_wrapper blacklist to prohibit the anti-questioning

#!/bin/bash#定义 休眠时间sleeptime=300#定义 通过ssh登录失败次数num=10#定义 黑名单文件file=/etc/hosts.deny#无限循环while true;do        #将失败登录的记录逐行读入变量        lastb | grep ssh|awk -F "[ ]+" ‘{print $3}‘|uniq -c | while read conn ip;do        #判断失败次数        if  [ "$conn" -ge "$num" ];then                #判断记录的IP是否存在                egrep -q ^sshd.*$ip $file                #如果不存在记录,将追加记录至指定黑名单文件                [ $? -ne 0 ] &&  echo "sshd:$ip" >> $file        fi        donesleep $sleeptimedone

Use watch-n1 Cat/etc/hosts.deny to observe dynamic files

Summary: Tcp_wrappers
It is suitable for simple application scenarios and is subject to monitoring software support libwrap.so Library limitations.

Tcp_wrappers TCP-Based security control

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More