請問一下TCP_Wrappers這個東東，allow和deny哪估比較大呢？ [Site Map]

贊助商連結

bigmichael

2003-04-12, 05:20 PM

我看了鳥哥的文章
[root @test /root]# vi /etc/hosts.allow
# 先寫關於 telnet, ftp 及 sshd 開放的資料
in.telnetd: 192.168.1.2, 192.168.1.10, 192.168.1.20 : allow
in.ftpd: 192.168.1.2, 192.168.1.10, 102.168.1.20 : allow
sshd: 192.168.1.0/255.255.255.0, xxx.yyy.zzz.qqq : allow
[root @test /root]# vi /etc/hosts.deny
# 將上面的三個服務都關掉啦！
in.telnetd: ALL : deny
in.ftpd: ALL : deny
sshd: ALL : deny

我的設定如下

[root @test /root]# vi /etc/hosts.allow
sshd: 192.168.1.100/255.255.255.0 : allow

[root @test /root]# vi /etc/hosts.deny
sshd: ALL : deny

這樣設是不是
『拒絕所有，開放特定(192.168.1.100)』

呢？
但是我的192.168.1.100的電腦進不去也？
但是我把host.deny改成如下就可以進去了

[root @test /root]# vi /etc/hosts.deny
#sshd: ALL : deny

是不是我的hosts.allow那裡有設錯，還是他的
原理是權限
hosts.allow < hosts.deny呢？

贊助商連結

repsol

2003-04-12, 10:20 PM

用tcpdmatch 檢查一下rule

man tcpdmatch

DESCRIPTION
tcpdmatch predicts how the tcp wrapper would handle a spe?
cific request for service. Examples are given below.

The program examines the tcpd access control tables
(default /etc/hosts.allow and /etc/hosts.deny) and prints
its conclusion. For maximal accuracy, it extracts addi
tional information from your inetd or tlid network config
uration file.

When tcpdmatch finds a match in the access control tables,
it identifies the matched rule. In addition, it displays
the optional shell commands or options in a pretty-printed
format; this makes it easier for you to spot any discrep
ancies between what you want and what the program under
stands.

使用範例
EXAMPLES
To predict how tcpd would handle a telnet request from the
local system:

tcpdmatch in.telnetd localhost

The same request, pretending that hostname lookup failed:

tcpdmatch in.telnetd 127.0.0.1

To predict what tcpd would do when the client name does
not match the client address:

tcpdmatch in.telnetd paranoid

example:我自己機器上的

home.repsol.com:repsol/#tcpdmatch sshd 168.95.192.1
warning: sshd: no such process name in /etc/inetd.conf
client: address 168.95.192.1
server: process sshd
matched: /etc/hosts.deny line 4
access: denied

home.repsol.com:repsol/#tcpdmatch sshd 192.168.222.222
warning: sshd: no such process name in /etc/inetd.conf
client: address 192.168.222.222
server: process sshd
matched: /etc/hosts.allow line 10
access: granted

hosts.allow 和 hosts.deny 這兩個檢查的順序

The access control software consults two files. The search
stops at the first match:

First match 之後停止 check

掌握這個原則即可...:) :) :)

bigmichael

2003-04-13, 12:39 AM

感謝高手的指導！:corkysm:
我試試看:D