官术网_书友最值得收藏!

首頁 >

Oracle 11g Anti-hacker's Cookbook

Using TCP wrappers to allow and deny remote connections

By using TCP wrappers you can control the accepting or denying of incoming connections from specified servers and networks. You may use this capability to protect your network in conjunction with a firewall. In the following recipe, we will allow connections opened through ssh only from the nodeorcl5 host and deny from all others by using TCP wrappers.

Getting ready

All steps will be performed on nodeorcl1 as root.

How to do it...

TCP wrappers at host level are controlled by two files located in the /etc directory called hosts.allow and hosts.deny.

  1. First we will start to deny all incoming connections from all hosts using all services by adding the following line into /etc/hosts.deny: 
    # hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL:ALL
................................................................
  2. In this moment if we try to establish a connection from nodeorcl5 it will be denied: 
    [oraclient@nodeorcl5 ~]$ ssh -l oracle nodeorcl1
ssh_exchange_identification: Connection closed by remote host

[oraclient@nodeorcl5 .ssh]$ ssh -l oracle nodeorcl1
oracle@nodeorcl1's password:
Last login: Sun Aug 12 19:47:21 2012 from nodeorcl5
[oracle@nodeorcl1 ~]$
  3. To allow incoming connections only with ssh include the following in /etc/hosts.allow: 
    #
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd: nodeorcl5
……………………………………………………………………………………

How it works...

All changes to hosts.deny and hosts.allow takes immediately in effect; hosts.allow has precedence over the hosts.deny file.

The format for rules is composed by a service or daemon, and host name or IP address. In our examples, we denied all services from all hosts and allowed only ssh connections from nodeorcl5.

There is more...

You can set rules for an entire network as follows:

Sshd :10.241.132.0/225.255.255.0

Exceptions can be set by using the EXCEPT clause:

Sshd : ALL EXCEPT 10.241.132.122
主站蜘蛛池模板: 兴国县| 禄劝| 通州市| 德惠市| 栾川县| 泰安市| 建瓯市| 张家港市| 临漳县| 田东县| 柘城县| 右玉县| 遵义县| 长宁县| 闻喜县| 内乡县| 循化| 工布江达县| 合江县| 页游| 蓝田县| 定兴县| 偃师市| 永登县| 晴隆县| 读书| 禹城市| 顺义区| 兴隆县| 绥化市| 沅江市| 玛曲县| 邢台县| 庄河市| 灌云县| 阿拉善右旗| 珠海市| 西畴县| 文登市| 博罗县| 遂川县|