The purpose of tcpwrapper is to provide access control functions for services with weak access control functions. To understand access control, you must first understand the concept of service listening:
Two Methods of Service Listening:
Listen: Socket listeners provide services on sockets
View a port to provide services without stopping the loop
There are two ways to determine whether a Service supports TCP Wrapper:
1. Check whether libwrap exists by searching the library file.
LDD 'which command'
2. check whether it is connected to/etc/hosts. Allow | deny
Strings 'which command' # view the static Link Library
If/etc/hosts. Allow
/Etc/hosts. Deny indicates that the command is statically linked to tcpwrraper.
Tcpwrraper itself works in the kernel, but these two files can be used to provide access control
Request
Bytes
Service --->/etc/hosts. Allow ---> allow if yes
Region not
/Etc/hosts. deny ----> if not, release
Bytes
If a specified match is rejected
/Etc/hosts. Allow | deny file format: damon_list: client_list [: Option]
Matching Service list: damon_list
Vsftpd: 192.168.0.
Vsftpd, sshd, In. telnetd:
All
Daemon @ host
Vsftpd@192.168.0.186
#192.168.0 stands for 192.168.0.0.
# Multiple services can be specified at a time
# You can use the wildcard "all" to specify all services.
# @ Only control a host
Match the client list clent_list
IP
Network Address
Network/mask: The mask cannot use the length format, but must have a full IP address format.
172.16.0.0 ---> 172.16. You can also abbreviated the CIDR Block
Hostname
FQDN
. A. Rog indicates all hosts in the.org domain.
Option
Spawn # You can use spawn to define logs.
Spawn echo ""
# The following defines a condition. A log is recorded as long as the user logs on via Telnet.
Vim/etc/hosts. Deny
In. telnetd: all variables t 172.16.0.1: spawnecho "Login attemp ('date') % u from % A attemp to login % A, the deamon is % d. ">/var/log/telnet. log
# Note that it cannot be followed by ECHO: The semicolon has special significance here.
# You can use man 5 hosts_access to view the meaning of the preceding %.
Common macro definition macro
All # indicates all hosts or all services
Local # indicates the local host, not the FQDN host
Known # indicates the host that can be parsed
Unknown # reverse host that can be parsed
Paranoid # host with unmatched positive/reverse resolution
T # exclude a host or a network
-
How to Control vsftpd access
1. which vsftpd # determine the file path 2. vim/etc/hosts. deny # change the file to take effect immediately. vsftpd: 172.16.100.100 # assume that only 172.16 network segments are allowed to access Vim/etc/hosts. allowvsftpd: 171.16 # Only 172.16.0.0/16 network segment Vim/etc/hosts is allowed. denyall: All # deny login from other users
In this way, only the CIDR Block 172.16.0.0 can be accessed.
Control ssh. Only logon to the 192.168.0.32 network segment is allowed, and logon to the 192.168.0.32 network segment is not allowed.
vim /etc/hosts.denyALL:ALLvim /etc/hosts.allowsshd: 192.168.0 EXCEPT 192.168.0.32
Effect:
Remove all: All in/etc/hosts. Deny to resume logon.