您当前的位置： 首页 > 学无止境 > 心得笔记 网站首页心得笔记

马哥linux运维学习笔记-tcp_wraper&xinetd

发布时间：2019-03-10 12:22:23编辑：雪饮阅读（）

除了iptables以外，tcp_wraper也可以进行网络访问控制，而且规则更简单。但是并不是每个服务都能经过tcp_wraper进行访问控制。

要想知道一个服务是否可以被tcp_wraper进行访问控制，有两个方法。

检查一个服务是否支持tcp_wraper

方法一

[root@mail ~]# ldd `which sshd`

        linux-gate.so.1 =>  (0xb80ee000)

        libwrap.so.0 => /lib/libwrap.so.0 (0xb806e000)

        libpam.so.0 => /lib/libpam.so.0 (0xb8063000)

        libdl.so.2 => /lib/libdl.so.2 (0xb805e000)

        libselinux.so.1 => /lib/libselinux.so.1 (0xb8046000)

        libaudit.so.0 => /lib/libaudit.so.0 (0xb802c000)

        libfipscheck.so.1 => /usr/lib/libfipscheck.so.1 (0xb802a000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb8015000)

        libcrypto.so.6 => /lib/libcrypto.so.6 (0xb7ed4000)

        libutil.so.1 => /lib/libutil.so.1 (0xb7ed0000)

        libz.so.1 => /lib/libz.so.1 (0xb7ebd000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea3000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e71000)

        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7e43000)

        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7dac000)

        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7d85000)

        libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7d82000)

        libnss3.so => /usr/lib/libnss3.so (0xb7c59000)

        libc.so.6 => /lib/libc.so.6 (0xb7aff000)

        /lib/ld-linux.so.2 (0x009f7000)

        libsepol.so.1 => /lib/libsepol.so.1 (0xb7ab9000)

        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7ab0000)

        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7aad000)

        libnssutil3.so => /usr/lib/libnssutil3.so (0xb7a93000)

        libplc4.so => /usr/lib/libplc4.so (0xb7a8f000)

        libplds4.so => /usr/lib/libplds4.so (0xb7a8b000)

        libnspr4.so => /usr/lib/libnspr4.so (0xb7a52000)

        libpthread.so.0 => /lib/libpthread.so.0 (0xb7a38000)

像ssh这样，就算是可以被tcp_wraper进行访问控制。

方法二

有的服务用方法一发现不支持tcp_wraper的访问控制，那么也未必就不能被tcp_wraper进行访问控制。

[root@mail ~]# strings `which portmap` | grep hosts

hosts_access_verbose

hosts_allow_table

hosts_deny_table

/etc/hosts.allow

/etc/hosts.deny

像portmap服务这样包含/etc/hosts.allow和/etc/hosts.deny的也算是可以被tcp_wraper进行访问控制的服务

一般来说只要符合/etc/hosts.allow上面的规则都是被允许访问的，符合/etc/hosts.deny上面的规则的都是被禁止访问的，而默认规则是允许进行访问的。

开启tcp_wraper

访问控制实例

开启telnet及tcp_wraper

[root@mail ~]# rpm -ivh /test/Server/telnet-server-0.17-39.el5.i386.rpm

warning: /test/Server/telnet-server-0.17-39.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 3                                7017186

Preparing...                ########################################### [100%]

   1:telnet-server          ########################################### [100%]

[root@mail ~]# chkconfig telnet on

[root@mail ~]# service xinetd restart

Stopping xinetd:                                           [  OK  ]

Starting xinetd:                                           [  OK  ]

准备一个系统用户用于通过telnet登录系统

[root@mail ~]# useradd fedora

[root@mail ~]# passwd fedora

Changing password for user fedora.

New UNIX password:

BAD PASSWORD: it is based on a dictionary word

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

访问控制实例1

限制telnet让192.168.128.xxx网段可以访问，而其它网段无法访问

 

[root@mail ~]# cat /etc/hosts.allow

#

# hosts.allow   This file describes the names of the hosts whichare

#               allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: 192.168.128.

[root@mail ~]# cat /etc/hosts.deny

#

# hosts.deny    This file describes the names of the hosts which are

#               *not* allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: ALL

128网段访问测试，成功登录

 



 

1网段访问测试，直接闪退

 



 



访问控制实例2

为访问telnet的来自192.168.1.xxx网段的来访者生成日志

 

[root@mail ~]# cat /etc/hosts.allow

#

# hosts.allow   This file describes the names of the hosts which are

#               allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: 192.168.1. :spawn echo "somebody entered, `date`" >> /var/log/tcpwrapper.log

[root@mail ~]# cat /etc/hosts.deny

#

# hosts.deny    This file describes the names of the hosts which are

#               *not* allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: ALL

然后让192.168.1.xxx网段的来访者访问后就出现了如下日志：

[root@mail ~]# cat /var/log/tcpwrapper.log

somebody entered, Sat Mar  9 05:00:42 CST 2019

访问控制实例3

为访问telnet的来自192.168.1.xxx网段的来访者生成日志(带宏)

宏有如下几个：

%c:client infomation(user@host)

%s:service info(server@host)

%h:client hostname

%p:server PID

[root@mail ~]# cat /etc/hosts.allow

#

# hosts.allow   This file describes the names of the hosts which are

#               allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: 192.168.1. :spawn echo "`date`,login attempt from %c to %s." >> /var/log/tcpwrapper.log

[root@mail ~]# cat /etc/hosts.deny

#

# hosts.deny    This file describes the names of the hosts which are

#               *not* allowed to use the local INET services, as decided

#               by the '/usr/sbin/tcpd' server.

#

in.telnetd: ALL

然后让192.168.1.xxx网段的来访者访问后就出现了如下日志：

[root@mail ~]# cat /var/log/tcpwrapper.log

somebody entered, Sat Mar  9 05:00:42 CST 2019

 

Sat Mar  9 05:11:22 CST 2019,login attempt from 192.168.1.4 to in.telnetd@192.168.1.11.