To determine if a
client is allowed to connect to a service, TCP Wrappers reference the following
two files, which are commonly referred to as hosts access files:
/etc/hosts.allow
/etc/hosts.deny
Sequence
When a TCP-wrapped service receives a request:
It
references /etc/hosts.allow, it parses sequentially the entries in /etc/hosts.allow and applies the first rule speicified for that service. If it finds a matching rule, it allows the connection, if not it moves the next step.
Next step: it references /etc/hosts.deny. The TCP-warpped service sequentially parses the entries in /etc/hosts.deny, if it finds a matching rule, it denies the connection. If not, it grants access to the
service.
Points to Consider
When using TCP Wrappers to protect network servies:
Access
rules in hosts.allow are applied first, so they take precedence over rules specified in hosts.deny. Therefore if a service is allowed in hosts.allow and is denied in hosts.deny, the entry in hosts.deny will be igonred
The
rules from each file are read from top, and the first
matching rule is the only applied.
If
no rules for the service are found in either files, access to the
service is granted.
If
both files « hosts.allow » and « hosts.deny » do not exist, then access to the
service is granted.
TCP-Wrapped services do not
cache the rules from the hosts access
files, so any changes to hosts.allow or hosts.deny take effect immeediately without restarting network services.
Formatting Access Rules
The format for both /etc/hosts.allow and /etc/hosts.deny is identical. Each
rule must be on its own line. Blank lines or lines that start with a hash (#)
are ignored.
Each
rule uses the following basic format to control access to network services:
–<daemon
list>: <client list> [: <option>: <option>: ...]
–<daemon
list> — A comma-separated list of process names (not service names) or the
ALL wildcard. The daemon list also accepts operators (refer to Operator Slide”)
to allow greater flexibility.
–<client
list> — A comma-separated list of hostnames, host IP addresses, special
patterns, or wildcards which identify the hosts affected by the rule. The
client list also accepts operators listed in Operator Slide to allow greater
flexibility.
–<option>
— An optional action or colon-separated list of actions performed when the rule
is triggered. Option fields support expansions, launch shell commands, allow or
deny access, and alter logging behavior
Wildcards
Allows TCP wrappers to more easily match groups of
daemons or hosts:
–ALL
matches everything, it can be used for daemon list and host list
–LOCAL
matches any host that doesn`t contain a period (.) such as localhost
–KNOW
, UNKNOWN AND PARANOID rarely used and should be used with DNS (known is a known host or user)
Example of Entries in hosts.allow
ALL
: 192.168.128.0/255.255.254.0 Allows access to all
daemons for requests that are coming from the network
192.168.128.0/23
ALL
: ALL Allows access to all
daemons fror requests coming from anywhere
sshd : 172.18. Allows access to sshd process from requests coming from IP addresses that start with 172.18.
ALL
: .test.com Allows access to all daemons from hosts that that have at the end of their fully qualidified domain name .test.com
Tips: To get an ip address for a specific PC in Linux, you can use the command "ifconfig". But for later version like "CentOS 7", ifconfig is not available by default, you can use the command "ip addr"
to get an IP address for a specific PC in windows, you can use the command "ipconfig"
What if you need to allow specific access to your server from an Internet user. Then you need to know his public IP address. If someone needs to know his public/Real IP address, all what he needs is to click on this link http://www.myip.services
Refering to a file
If
we want to permit many IP addresses or names, instead of writing them, we reference to a file, but the filename should start from the / so that TCP wrappers file can identify that it is a file and it should find the entries inside that file
–In.telnetd : /etc/telnet/hosts
It
is more secure to use
IP addresses than DNS names
Operator
Access control rules accept one operator EXCEPT which allows exception from a specific matches:
ALL : .test.com EXCEPT abc.test.com
So
it matches all
computers that they have their fully qualified domain name ending with test.com except the PC « abc.example.com »
ALL EXCEPT vsftpd: 192.168.0.
So
if it is in hosts.allow it allows the PCs that have ip address starts with 192.168.0 to access
all daemons except the vsftpd daemon
Portmap and TCP Wrappers
Portmap`s implementation of TCP wrappers doesn`t support host look-ups, which means portmap cannot use hostnames to identify hosts. Consequently access contorl rules for portmap in hosts.allow or hosts.deny must use IP addresses or the keyword All ,
Changes
to portmap access control rules may not take effect immediately. You may need to restart the portmap service
For more information about our IT Serviceshttps://http-cloud.com/it-services/
Are you looking for a part-time job ?
You can also follow our other blog:
http://https-cloud.blogspot.com
I hope this was helpful, and I would like to thank you for reading