首頁 » Linux

hosts.allow 與 hosts.deny

由 datahunter 在 四, 03/10/2019 - 14:51 發表

最後更新: 2019-10-03

介紹

 

hosts.allow 與 hosts.deny 是 TCP wrappers 的設定檔來

TCP Wrapper = program compiled against the libwrap.a library

ldd /usr/sbin/sshd | grep libwrap

        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f075713e000)

 

網絡安全

 

 

設定

# Format:

daemon_list : client_list [: command]

i.e. 只可以由 192.168.123.* 192.168.0.0/255.255.255.0 192.168.1.0/24 login 入 ssh server

* 必須 Step1 才 Step2

Step1: 在 /etc/hosts.allow 內加入

sshd : 192.168.123. \
       192.168.0.0/255.255.255.0 \
       192.168.1.0/24

Step2: 在 /etc/hosts.deny 內加入

sshd : ALL

P.S.

 * sshd 是 proccess 定義好的名稱來

 * 在 hosts.allow 加減 IP 不用 restart sshd

Test:

Log: /var/log/auth.log         # Debian

被 deny 的人會 log 到

... sshd[589]: refused connect from R.R.R.R (R.R.R.R)

ssh client

ssh_exchange_identification: read: Connection reset by peer

P.S.

  • search stops at the first match ( allow -> deny -> granted by default )
  • Wildcards `*´ and `?´ can be used to match hostnames or IP addresses
  • begin with a `#´ character are ignored
  • ALL => The universal wildcard, always matches.

MOSTLY CLOSED

/etc/hosts.deny

ALL: ALL
  • A string that begins with a "/" character is treated as a file name.

/etc/hosts.allow

sshd : /etc/ssh/allow_ip

/etc/ssh/allow_ip

192.168.123.
192.168.0.0/255.255.255.0
192.168.1.0/24

/etc/hosts.deny

sshd : ALL

EXCEPT:

  • "a EXCEPT b EXCEPT c" would parse as `(a EXCEPT (b EXCEPT c))'.

 

Command

 

Help: man 5 hosts_options

/etc/hosts.allow

daemon_list : client_list [: command]

If the first-matched access control rule contains a shell command,

that command is subjected to %<letter> substitutions

Specify an `&´ at the end of the command if you do not want to wait until it has completed

%<letter> substitutions

%a               The client host address

i.e.

aclexec   ( * 不是個個版本都有 aclexec)

"The connection will be allowed or refused depending on whether the command returns exit status."

 

tcp wrapper tools

 

# 安裝

yum install tcp_wrappers

#獲得:

  • /usr/sbin/tcpd
  • /usr/sbin/tcpdmatch
  • /usr/sbin/safe_finger
  • /usr/sbin/try-from

# 測試:

tcpdmatch sshd 192.168.88.177

client:   address  192.168.88.177
server:   process  sshd
access:   granted

# tcpd

access control facility for internet services

whenever a request for service arrives,

the inetd daemon is tricked into running the tcpd program instead of the desired server.

tcpd logs the request and does some additional checks.

When all is well, tcpd runs the appropriate  server  program  and  goes away.

 

 

 

 

»
  • 瀏覽次數: 1886

Creative Commons license icon Creative Commons license icon