Vsftpd+tcp_wrappers control host and user access

VSFTPD in RHEL4 already supports tcp_wrappers at compile time, so you can use Tcp_wrappers to implement host access control.

Before the experiment, first of all, the tcp-wrappers order of execution:

The first execution hosts.allow, if hosts.allow inside has the list, then allows the machine to visit in the list, otherwise, then looks down the Hosts.deny, if Hosts.deny inside has the list, then rejects the machine access in the list, if also does not have ( That is, there are no lists in allow and deny, so the host is allowed access.

In real life, Host.allow can also set the "Deny" function, so in general, only use/etc/hosts.allow to access control of the host.

(i) Host access control

Configure the VSFTPD service on the host (192.168.1.102) to allow other hosts 192.168.1.0/24 network segments to access this FTP service in addition to 192.168.1.100.

The plan is quite simple, edit/etc/hosts.allow

Vsftpd:192.168.1.100:deny

vsftpd:192.168.1.

Restart the VSFTPD, can achieve the experiment goal, everybody in the experiment can make the experiment to tcp_wrappers the complex point.

(ii) User access control

VSFTPD has the flexible user access control function. In the concrete implementation, VSFTPD's user access control is divided into two categories: the first class is the traditional user list/etc/vsftpd/ftpusers, I understand it as the system list (that is, the system is forbidden); The second is the improved user list file/etc/vsftpd/user_list, I understood it as a list I wanted to ban.

To achieve the second category of list control, there must be a vsftpd.conf inside

Userlist_enable=yes

Userlist_deny=yes//This is the default of the system, that is, you do not need to add the system and the default is YES

Userlist_file=/etc/vsftpd/usrer_list

Through the above simple experiment, can achieve vsftpd powerful control ability.