tcpd

prohibit all unwanted services, such as FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, Finger, auth, and so on. If you feel that some services are useful, you may not ban these services. However, by banning these services, the system is less likely to be attacked. The contents of the changed "inetd.conf" file are as follows: # to re-read this file after the changes, just do a ' killall-hup inetd ' # #echo Stream TCP nowait root internal #echo dgram UDP Wait root internal

is designed as an intermediate processing software that is in response to external service requests and system services. The most common use is with inetd. When inetd receives a foreign service request, it is not a direct call, but rather a call to the TCP wrapper (executable TCPD), which the TCP wrapper determines whether the other person has permission to use the service based on the requested service and the access control rules tailored to the se

-process, set it to nowait. At this time, inetd starts a service process every time it receives a request, for example, telnet works in this way. Each Independent telnet conversation starts a telnet service process. On the contrary, if it is a single process, you can set it to wait. User identity indicates the uid/euid used when the service process starts. Because telnet can be issued by any user and any command can be executed through telnet, the root user identity is used. /Usr/sbin/

primary.[Email protected] ~]# Cat/etc/sysconfig/iptables.....-A input-s 192.168.1.0/24-m state--state new-m tcp-p TCP--dport 22-j ACCEPT-A input-s 114.165.77.144-m state--state new-m tcp-p TCP--dport 22-j ACCEPT-A input-s 133.110.186.130-m state--state new-m tcp-p TCP--dport 22-j ACCEPT [[emailprotected] ~]# cat/etc/hosts.allow # # hosts.allow This file contains access rules which is Used to # Allow or deny connections to network services This # either use the Tcp_wrappers library or that h

process through the following settings. Mv/etc/inetd. conf/etc/inetd. conf. old Cat>/etc/inetd. conf # Pop3 stream tcp nowait root/usr/sbin/tcpd/usr/sbin/popa3d# Auth stream tcp wait root/usr/sbin/in. identd in. identd## Ftp stream tcp nowait root/usr/sbin/tcpd proftpd# Echo stream tcp nowait root internal# Echo dgram udp wait root internal# Discard stream tcp nowait root internal# Discard dgram udp wait

sockets. in this case, "nowait" is used. If the service is a single thread, it means that the service will process all the foreign datagram in the same socket until it times out. in this case, the "wait" entry is used. The Max parameter, separated by a vertex and wait/nowait, defines the maximum number of instances generated by the inetd process within one minute. The user domain defines the service user. Group parameters, separated by points and user names, define group IDs that can run servic

Linux system, if you need to prohibit specific IP address access to ensure the security of the system, simply through the operation of Iptalbes to achieve, the following small set to introduce how Linux to prohibit an IP address access, interested friends can come to understand the next. I. Overview These two files are TCPD server configuration files, and TCPD servers can control the acces

1. TCP Wrapper is an access control tool based on tcpd access. It can access most TCP-based services. Generally speaking, it can only implement the acceptance of tcpd management explicitly during compilation. Their working principle is similar to this: Generally, the so-called service listening service listens on a socket is actually implemented through a loop, this loop is to constantly check the arrival o

: In "/etc/hosts. add "ALL: nbspALL @ ALL, PARANOID" to the deny file, and then add "/etc/hosts. "allow" lists the allowed hosts. TCP_WRAPPERS is controlled by two files, and the search stops at the First Matching place./Etc/hosts. allow/Etc/hosts. denyStep 1Edit the hosts. deny file (/etc/hosts. deny) and add the following lines:# Deny access to everyone.ALL: nbspALL @ ALL, PARANOIDThe statement indicates that all services and all hosts are denied unless access is permitted in the allow file.

also retain the transport layer protocol information, all of this is to make communications more secure and meticulous. Imagine if a man-in-the-middle intercepts an ICMP packet and then changes it to a UDP packet or what happens, this UDP is not random but well-constructed, but it is much more difficult to add a pseudo-header so it can succeed, because the pseudo-header contains protocol fields, in addition to any wrong delivery, the Error Data Length and protocol are detected. Take a look at t

after changes, just do a killall-HUP inetd## Echo stream tcp nowait root internal# Echo dgram udp wait root internal# Discard stream tcp nowait root internal# Discard dgram udp wait root internal# Daytime stream tcp nowait root internal# Daytime dgram udp wait root internal# Chargen stream tcp nowait root internal# Chargen dgram udp wait root internal# Time stream tcp nowait root internal# Time dgram udp wait root internal## These are standard services.## Ftp stream tcp nowait root/Usr/sbin/

this software is to filter the TCP/UDP service on UNIX platforms, which is now widely used to monitor and filter the standard TCP/UDP services such as FTP, Telnet, rsh, rlogin, tftp, finger, etc., which occur on the host computer. When the system installs Tcp_wrapper, the in.telnetd of/usr/sbin/in.telnetd in the in.conf file is replaced by Tcp_wrapper programs that are included with TCPD. The program intercepts the service request from the client, lo

I. Overview These two files are TCPD server configuration files, and TCPD servers can control the access of external IP to native services. The two configuration files are formatted as follows: #服务进程名: Host list: Optional command action when rule matchesServer_name:hosts-list[:command]/etc/hosts.allow control can access the IP address of this computer,/etc/hosts.deny control prohibit access to native IP.

These two files are the configuration files of The tcpd server. The tcpd server can control access to the local service by external IP addresses. The two configuration files are in the following format: # Service process name: Host list: optional command operation when the rule matchesSERVER_NAME: hosts-list [: Command]/Etc/hosts. Allow controls access to the local IP address, and/etc/hosts. Deny controls p

and annotate other services (add a # symbol ). 　 Ftp stream tcp nowait root/usr/sbin/tcpd in. proftpd 　 Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd 　 Pop-3 stream tcp nowait root/usr/sbin/tcpd ipop3d 　 Imap stream tcp nowait root/usr/sbin/tcpd imapd 　 In addition, if your RedHat version is later than 7.0,

1. First introduce the daemon in Linux The Linux system has a special daemon inetd (Internet Services Daemon), which is used for Internet standard services and is typically started when the system starts. The inetd configuration file can be given by the command line, which lists the services provided by inetd. If a configuration file is not given on the command line, INETD will read its configuration information from the file/etc/inetd.conf. The primary task of inetd is to listen for requests f