Implementation of TCPWrappers access control in Centos

1. TCP Wrappers Overview

TCP Wrappers "wraps" the TCP service program and listens to the port of the TCP service program on its behalf, adding a security detection process. External connection requests must first pass this layer of security detection and obtain permission before accessing the real service program. As shown in the figure below, TCP Wrappers can also record all attempts to access the protected service, providing administrators with rich security analysis information.

2. Access strategy of TCP Wrappers

The TCP Wrappers mechanism protects various network service programs and performs access control on the client addresses that access the services. The two corresponding policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set the allow and deny policies respectively.

1. Policy configuration format

The two policy files have opposite functions, but the format of the configuration records is the same, as follows:
<Service program list>: <Client address list>

The service program lists and client address lists are separated by colons, and multiple items in each list are separated by commas.

1) Service program list

• ALL: represents all services;
• Single service program: such as "vsftpd";
• A list of multiple service programs: such as "vsftpd.sshd";

2) Client address list

• ALL: represents any client address;
• LOCAL: represents the local address;
• Single IP address: such as "192.1668.10.1";
• Network segment address: such as "192.168.10.0/255.255.255.0";
• Domain names starting with ".": For example, "benet.com" matches all hosts in the benet.com domain;
• A network address ending with a dot: For example, "192.168.10." matches the entire 192.168.10.0/24 network segment.
• Embedded wildcards "?": The former represents characters of any length, while the latter represents only one character. For example, "192.168.10.1" matches all IP addresses starting with 192.168.10.1. Cannot be mixed with patterns that start or end with ".";
• A list of multiple client addresses: such as "192.168.1., 172.16.16., .benet.com";

2. Basic principles of access control

Regarding the access policy of the TCP Wrappers mechanism, the following order and principles are followed when applying it: first check the /etc/hosts.allow file. If a matching policy is found, access is allowed. Otherwise, continue to check the /etc/hosts.deny file. If a matching policy is found, access is denied. If no matching policy is found in the above two files, access is allowed.

3. TCP Wrappers Configuration Example

When the TCP Wrappers mechanism is actually used, a looser policy may be "allow all, deny some", and a stricter policy may be "allow some, deny all". The former only needs to add the corresponding deny policy in the hosts.deny file; the latter, in addition to adding the allow policy in host.allow, also needs to set the deny policy of "ALL:ALL" in the hosts.deny file.

Here is an example:

Now you only want to access the sshd service from the host with IP address 192.168.10.1 or the host in the 172.16.16 network segment. Other addresses are rejected. You can do the following:

[root@centos01 ~]# vim /etc/hosts.allow 
sshd:192.168.10.1 172.16.16.*
[root@centos01 ~]# vim /etc/hosts.deny 
sshd:ALL

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.