May 24, 2021 That's what Linux should learn
TCP Wrappers is a traffic monitoring program that is enabled by default in the RHEL 7 system and allows or rejects actions based on the address of the visiting host and the target service program of the machine. In other words, Linux systems actually have two levels of firewalls, the first of which is the TCP/IP protocol-based traffic filtering tool mentioned earlier, while the TCP Wrappers service is a firewall that allows or prohibits Linux systems from providing services, thus protecting the safe operation of Linux systems at a higher level.
The firewall policy for the TCP Wrappers service is controlled by two control list files, and users can edit the allow control list file to release request traffic to the service, or they can edit the deny control list file to block request traffic to the service. T he control list file will take effect as soon as it is modified, and the allow list file (/etc/hosts.allow) will be checked first to release traffic if matched to the appropriate allow policy, and if no match is matched, the deny list file (/etc/hosts.deny) will be further matched and the traffic will be denied if a match is found. If neither file matches, the default release traffic is.
The control list files for the TCP Wrappers service are not complex to configure, and commonly used parameters are shown in Tables 8-4.
The parameters commonly used in the control list files for the Table 8-4 TCP Wrappers service
Client Type Example Meets the example's client list Single host 192.168.10.10 Host with an IP address of 192.168.10.10 Specified segment 192.168.10. Host with IP segment 192.168.10.0/24 Designated segment 192.168.10.0/255.255.255.0 IP segment 192.168.1 0.0/24 Hosts Specify DNS suffix .linuxprobe.com All DNS suffixes .linuxprobe.com Hosts Specify host name www.linuxprobe.com Hosts with www.linuxprobe.com Hosts All hosts are all included In configuring the TCP Wrappers service, there are two principles to follow:
When you write a deny policy rule, you fill in the service name, not the agreement name; Here's a deny policy rule file that disables access to all traffic to the native sshd service (no need to modify the original comment information in the /etc/hosts.deny file):
[root@linuxprobe ~]# vim /etc/hosts.deny #
# deny connections to network services that either use# the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## The rules in this file can also be set up in# /etc/hosts.allow with a 'deny' option instead.## See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrapperssshd:*[root@linuxprobe ~]# ssh 192.168.10.10ssh_exchange_identification: read: Connection reset by peer
Next, add a rule in the allow policy rule file to release all traffic from the 192.168.10.0/24 segment that accesses the main sshd service. As you can see, the server immediately released traffic to the sshd service, and the effect was very intuitive:
[root@linuxprobe ~]# vim /etc/hosts.allow #
# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrapperssshd:192.168.10.
[root@linuxprobe ~]# ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. E CDSA key fingerprint is 70:3b:5d:37:96:7b:2e:a5:28:0d:7e:dc:47:6a:fe:5c. A re you sure you want to continue connecting (yes/no)? y es Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. r [email protected]'s password: Last login: Wed May 4 07:56:29 2017 [root@linuxprobe ~] #