服务的访问控制列表
Tcp_wrappers是红帽RHEL7系统中默认已经启用的一款流量监控程序,它能够根据来访主机地址与本机目标服务程序做允许或拒绝操作。换句话说,Linux系统中其实有两个层面的防火墙,第一种是前面讲到的基于TCP/IP协议的流量过滤防护工具,而Tcp_wrappers服务则是能够对系统服务进行允许和禁止的防火墙,从而在更高层面保护了Linux系统的安全运行。控制列表文件修改后会立即生效,系统将会先检查允许策略规则文件(/etc/hosts.allow),如果匹配到相应的允许策略则直接放行请求,如果没有匹配则会去进一步匹配拒绝策略规则文件(/etc/hosts.deny)的内容,有匹配到相应的拒绝策略就会直接拒绝该请求流量,如果两个文件全都没有匹配到的话也会默认放行这次的请求流量。配置服务的参数并不复杂。详情请关注《linux就该这么学》。
操作方法
- 01
在正式配置Tcp_wrappers服务前有两点原则必须要提前讲清楚,第一,在写禁止项目的时候一定要写上的是服务名称,而不是某种协议的名称,第二,推荐先来编写拒绝规则,这样可以比较直观的看到相应的效果。例如先来通过拒绝策略文件禁止下所有访问本机sshd服务的请求数据吧(无需修改原有的注释信息): [root@linuxprobe ~]# vim /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrapperssshd:* [root@linuxprobe ~]# ssh 192.168.10.10 ssh_exchange_identification: read: Connection reset by peer
- 02
接下来在允许策略文件中添加放行所有来自于192.168.10.0/24这个网段访问本机sshd服务请求的策略,咱们的服务器马上就允许了访问sshd服务的请求,效果非常直观: [root@linuxprobe ~]# vim /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrapperssshd:192.168.10. [root@linuxprobe ~]# ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. ECDSA key fingerprint is 70:3b:5d:37:96:7b:2e:a5:28:0d:7e:dc:47:6a:fe:5c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. root@192.168.10.10's password: Last login: Wed May 4 07:56:29 2017 [root@linuxprobe ~]#