Yadda Ake Tsare Sabis ɗin Yanar Gizo Ta Amfani da TCP Wrappers a Linux


A cikin wannan labarin za mu bayyana abin da TCP wrappers suke da kuma yadda za a saita su zuwa saita Tacewar zaɓi.

A wannan batun, zaku iya tunanin wannan kayan aiki azaman ma'aunin tsaro na ƙarshe don tsarin ku. Ta amfani da Tacewar zaɓi da TCP wrappers, maimakon fifita ɗaya akan ɗayan, za ku tabbatar da cewa ba a bar sabar ku tare da gazawa ɗaya ba.

Fahimtar runduna.ba da izini da runduna. musun

Lokacin da buƙatar hanyar sadarwa ta isa uwar garken ku, TCP wrappers suna amfani da hosts.allow da hosts.deny (don haka) don sanin ko ya kamata a bar abokin ciniki ya yi amfani da sabis ɗin da aka bayar. .

Ta hanyar tsoho, waɗannan fayilolin fanko ne, duk an yi sharhi, ko babu su. Don haka, ana ba da izinin komai ta hanyar TCP wrappers Layer kuma an bar tsarin ku don dogara ga bangon wuta don cikakken kariya. Tun da wannan ba a so, saboda dalilin da muka bayyana a gabatarwar, tabbatar da cewa fayilolin biyu sun wanzu:

# ls -l /etc/hosts.allow /etc/hosts.deny

Haɗin haɗin fayilolin biyu iri ɗaya ne:

<services> : <clients> [: <option1> : <option2> : ...]

ku,

  1. sabis jerin ayyuka ne da aka raba waƙafi wanda ya kamata a yi amfani da ƙa'idar ta yanzu.
  2. abokai suna wakiltar jerin sunayen masu raba waƙafi ko adiresoshin IP waɗanda dokar ta shafa. Ana karɓar katuna masu zuwa:
    1. DUK yayi daidai da komai. Ya shafi duka ga abokan ciniki da ayyuka.
    2. LOCAL matches masu masaukin baki ba tare da wani lokaci ba a cikin FQDN su, kamar localhost.
    3. SANANI yana nuna yanayi inda aka san sunan mai masauki, adireshin mai masauki, ko mai amfani.
    4. RASHIN SAN shine akasin SANIN.
    5. PARANOID yana haifar da cire haɗin haɗin gwiwa idan aka koma duba DNS (na farko akan adireshin IP don tantance sunan mai masaukin, sannan akan sunan mai masauki don samun adiresoshin IP) dawo da wani adireshin daban a kowane harka.

    Kuna iya tuna cewa ƙa'idar da ke ba da damar yin amfani da sabis ɗin da aka bayar a cikin /etc/hosts.allow yana da fifiko akan doka a cikin /etc/hosts.deny haramta shi. Bugu da ƙari, idan dokoki biyu sun shafi sabis ɗaya, na farko kawai za a yi la'akari.

    Abin takaici, ba duk sabis na cibiyar sadarwa ke goyan bayan amfani da nannade TCP ba. Don tantance idan sabis ɗin da aka bayar yana goyan bayan su, yi:

    # ldd /path/to/binary | grep libwrap
    

    Idan umarnin da ke sama ya dawo fitarwa, ana iya nannade shi TCP. Misalin wannan shine sshd da vsftpd, kamar yadda aka nuna anan:

    Yadda ake Amfani da TCP Wrappers don Ƙuntata Samun Sabis

    Yayin da kuke gyara /etc/hosts.allow da /etc/hosts.deny, tabbatar kun ƙara sabon layi ta latsa Shigar bayan layin mara komai na ƙarshe.

    Don ba da damar SSH da FTP kawai zuwa 192.168.0.102 da localhost kuma musan duk wasu, ƙara waɗannan layi biyu a cikin /etc/hosts.deny:

    sshd,vsftpd : ALL
    ALL : ALL
    

    da layin mai zuwa a cikin /etc/hosts.allow:

    sshd,vsftpd : 192.168.0.102,LOCAL
    
    #
    # hosts.deny	This file contains access rules which are used to
    #		deny connections to network services that either use
    #		the tcp_wrappers library or that have been
    #		started through a tcp_wrappers-enabled xinetd.
    #
    #		The rules in this file can also be set up in
    #		/etc/hosts.allow with a 'deny' option instead.
    #
    #		See 'man 5 hosts_options' and 'man 5 hosts_access'
    #		for information on rule syntax.
    #		See 'man tcpd' for information on tcp_wrappers
    #
    sshd,vsftpd : ALL
    ALL : ALL
    
    #
    # hosts.allow	This file contains access rules which are used to
    #		allow or deny connections to network services that
    #		either use the tcp_wrappers library or that have been
    #		started through a tcp_wrappers-enabled xinetd.
    #
    #		See 'man 5 hosts_options' and 'man 5 hosts_access'
    #		for information on rule syntax.
    #		See 'man tcpd' for information on tcp_wrappers
    #
    sshd,vsftpd : 192.168.0.102,LOCAL
    

    Waɗannan canje-canje suna faruwa nan da nan ba tare da buƙatar sake farawa ba.

    A cikin hoton da ke gaba za ku iya ganin tasirin cire kalmar LOCAL daga layi na ƙarshe: uwar garken FTP ba zai kasance ba don localhost. Bayan mun ƙara katin baya, sabis ɗin zai sake samuwa.

    Don ba da damar duk sabis ɗin zuwa runduna inda sunan ya ƙunshi example.com, ƙara wannan layin a cikin hosts.allow:

    ALL : .example.com
    

    kuma don hana damar zuwa vsftpd zuwa inji akan 10.0.1.0/24, ƙara wannan layin a cikin hosts.deny:

    vsftpd : 10.0.1.
    

    A kan misalai biyu na ƙarshe, lura da digon a farkon da ƙarshen jerin abokin ciniki. Ana amfani da shi don nuna \DUKAN runduna da/ko abokan ciniki inda sunan ko IP ya ƙunshi wannan kirtani.

    Shin wannan labarin ya taimaka muku? Kuna da tambayoyi ko sharhi? Jin kyauta don sauke mana bayanin kula ta amfani da fom ɗin sharhi a ƙasa.