tcp_wrappers&&l7iptables

tcp_wrappers && l7iptables

tcp_wrappers

tcp_wrappers是linux中一个安全机制,在某些条件下,一定程度上限制某种服务的访问权限,达到了保护系统的目的。接下来我们来简单介绍一下tcp-wrapers

  《一》:首先检查某种服务是否受tcp_wrappers 管理

  ldd `which sshd` grep | libwrap

  如果有这个链接,说面某个服务接受tcp_wrappers管理

  《二》:与tcp_wrappers相关的文件有

  /etc/hosts.allow

  /etc/hosts.deny

  《三》:工作原理

  (1):当有请求从远程到达本机的时候

  首先检查/etc/hosts.allow 如果在其中能够匹配的到,那么就默认允许访问

  跳过 /etc/hosts.deny这个文件

  (2):当在/etc/hosts.allow中没有匹配到的时候,就匹配/etc/hosts.deny 文件

  如果能在/etc/hosts/deny中匹配的到

  那么就拒绝这个访问

  (3):如果在这两个文件中,都没有匹配到

  那么,默认是允许访问的

  《四》:这两个文件格式

  服务列表 :地址列表 :选项

  A. 服务列表格式:如果有多个服务,那么就用逗号隔开

  B. 地址列表格式:

  (1):标准IP地址:例如:192.168.0.254,192.168.0.56如果多于一个用,隔开

  (2):主机名称:例如:www.baidu.com

  .example.con匹配整个域

  (3):利用掩码:192.168.0.0/255.255.255.0指定整个网段

  (4):网络名称:例如 @mynetwork

  C. 选项:

  主要有allow 和 deny 这两个选项

  D. 其它的特定格式

  ALL :指代所有主机

  LOCAL :指代本地主机

  KNOWN :能够解析的

  UNKNOWN :不能解析的

  PARANOID :

  《五》:扩展选项:

  spawn : 执行某个命令

  vsftpd : spawn echo “login attempt from %c”to %s” | mail –s warning root

  twist : 中断命令的执行:

  vsftpd : twist echo “login attempt from %c to %s ” | mail –s waring root

  《六》:一个例子

  在/etc/hosts.allow文件中指定下面的内容

  vsftpd: 192.168.0.

  in.telnetd, protmap: 192.168.0.8

  在/etc/hosts.deny中指定一下文件

  ALL: .cracker.org EXCEPT trusted.cracker.org

  vsftpd,protmap: ALL

  sshd: 192.168.0. EXCEPT 192.168.0.4

                 l7-filter
L7-filter is a classifier for Linux's Netfilter that identifies packets based on

application layer data. 
   It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus,

eDonkey2000, etc., regardless of port.
  
It complements existing classifiers that match on IP address, port numbers and so on.


http://l7-filter.sourceforge.net
   The 2.4 or 2.6 Linux kernel source (2.6 strongly preferred) from kernel.org   The

iptables source from netfilter.org   "l7-filter kernel version" package (netfilter-layer7-

X.Y.tar.gz)
  
"Protocol definitions" package (l7-protocols-YYYY-MM-DD.tar.gz)
Use the appropriate kernel patch from the "Layer 7 patches" package to patch the kernel
   

 Please read the README in the package to determine which patch to use     # tar zxvf 

linux-2.6.28.10.tar.gz  -C  /usr/src

     # tar zxvf  netfilter-layer7-v2.22.tar.gz  -C  /usr/src
    
# ln –s  /usr/src/linux-2.6.28.10/   /usr/src/linux    
     # cd /usr/src/linux/
    
# patch -p1  <  ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch  
     Before you configure kernel make sure you have development tools (gcc compilers and

related tools) are installed on your system.
    
# cp /boot/config-2.6.18-164.el5  /usr/src/linux/.config     # make  menuconfig
  
      Networking support → Networking Options →Network packet filtering framework →Code

Netfilter Configuration
       
<M>  Netfilter connection tracking support         <M>  “layer7” match support
       
<M>  “string” match support
       
<M>  “time”  match support
       
<M>  “iprange”  match support
       
<M>  “connlimit”  match support        <M>  “state”  match support
       
<M>  “conntrack”  connection  match support        <M>  “mac”  address  match

support
       
<M>   "multiport" Multiple port match support
        Networking support →

Networking Options →Network packet filtering framework → IP: Netfilter Configuration     

  <M> IPv4 connection tracking support (required for NAT)
       
<M>   Full NAT
       
<M>     MASQUERADE target support                                                  

        <M>     NETMAP target support                                                      

        <M>     REDIRECT target support
Start compiling and installing
     
make
     
make modules_install
     
make install


Edit the /boot/grub/grub.conf, set the default booting kernel to the new kernel
     
Restart   
      # cp /etc/rc.d/init.d/iptables ~/iptables
     
# rpm  -e  iptables-ipv6  iptables  iptstate  --nodeps
     
# tar jxvf iptables-1.4.6.tar.bz2 –C  /usr/src
     
# cd /usr/src/iptables-1.4.6
# cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-

for-kernel-2.6.20forward/libxt_layer7.*   ./extensions/
./configure  --prefix=/usr  --with-

ksource=/usr/src/linux
      #
make &&
make install      # tar zxvf l7-protocols-2009-05-28.tar.gz      # cd l7-

protocols-2009-05-28
# make install
     

# mv ~/iptables  /etc/rc.d/init.d/
     
# service iptables start
l7-filter uses the standard iptables extension syntax
    
iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action]      

bittorrent
       
P2P filesharing / publishing tool
     
edonkey
        
eDonkey2000 - P2P filesharing
     
kugoo
         
KuGoo - a Chinese P2P program
     
msn-filetransfer
         
MSN (Micosoft Network) Messenger file transfers
     
msnmessenger
          
Microsoft Network chat client
     
pplive
        
Chinese P2P streaming video       qq      xunlei   connlimit
      
[!] --connlimit-above n
      
Allows you to restrict the number of parallel connections to a server per client IP

address (or client address block).
 Example:
    
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT
  

   Allow 2 ssh connections per client hoststring
    
This modules matches a given string by using some pattern matching strategy.
    
It requires a linux kernel >= 2.6.14.    
   [!] --string pattern
        
Matches the given pattern.
    
--algo {bm|kmp}
        
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
   
Examples:      
        iptables –A OUTPUT –p udp  --dport  53  -m string --string “verycd

”  --algo bm  -j DROP
       
iptables  -A  OUTPUT  -p tcp  --dport  80  -m string  --string  “***”  --algo 

kmp  -j  DROPtime
    
This matches if the packet arrival time/date is within a given range.    
   --datestart

      YYYY[-MM[-DD[Thh[:mm[:ss]]]]]    
   --datestop
     YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
        
Only  match  during  the given time, The possible time range is 1970-01-01

T00:00:00 to  2038-01-19 T04:17:07
    
--timestart hh:mm[:ss]
    
--timestop hh:mm[:ss]        
    The possible time range is 00:00:00 to 23:59:59.
 
         Leading zeroes are allowed.time   
     [!] --monthdays day[,day...]     
       Only  match  on  the  given days of the month. Possible values are 1 to 31.
    
[!] --weekdays day[,day...]      
       Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values from 1 to  7,  respectively.
 
Examples:
      
-m time --weekdays Sa,Su    
       -m time --timestart 12:30 --timestop 13:30
-j LOG    

        --log-level
           level
Level of logging
       
--log-prefix
        prefix
Prefix log messages with the specified prefix; up to 29 letters long, and

useful for distinguishing messages in the logs.
       
--log-tcp-options
        
Log options from the TCP packet header.
       
--log-ip-options
        
Log options from the IP packet header.
 

你可能感兴趣的:(职场,休闲,tcp_wrappers,l7iptables)