更多,更好內容請參見: http://www.ibm.com/developerworks/cn/aix/library/au-tcpwrapper/
一. 用處和用法
沒有符合hosts.allow,hosts.deny中的配置的主機,用ssh登陸到我的系統的時候,我希望記錄下他的動作,以便用於查詢認證只用,這個時候就可以用到TCP Wrappers 的特殊功能。 但是要確定安裝tcp_wrappers軟體才能使用: " yum install tcp_wrappers"。 這時,就會有更加詳細的操作:
spawn : 可以利用後續的shell進行額外的工作,並且可以使用變數:
%h: hostname
%a: address
%d: daemon
twist: 立刻一後續的命令進行,且執行完後終止此次連線
二. 簡單範例
1. spawn的使用:
1.1 設定hosts.allow,hosts.deny. 加入相應的spawn配置。
達到的目標: 如果是未經允許的網段登入到我的主機時,就向root賬戶傳送一條mail,mail的內容形式為:
security notice from host ****
the host **** which is not permitted tried to ssh to you computer
hosts.allow
# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 192.168.1.2,192.168.1.1: allow
hosts.deny
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: ALL :spawn ( echo "security notice from host $(/bin/hostname)"; \
echo "the host %h which is not permitted tried to ssh to you computer"; echo;) | \ /bin/mail -s "%d-%h security" root
1.2 用不在允許範圍的主機192.168.1.12嘗試用ssh登陸到這臺主機(192.168.1.11)
主機拒絕登陸
1.3 在主機(192.168.1.11)檢視收到的新mai,內容如下:
l
2.twist用法
在hosts.deny檔案後邊加上設定:
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: ALL :spawn ( echo "security notice from host $(/bin/hostname)"; \
echo "the host %h which is not permitted tried to ssh to you computer"; echo;) | \ /bin/mail -s "%d-%h security" root & \ :twist (/bin/echo "YOU ARE NOT ALLOWED TO ENTER THE COMPUTER")
在192.168.1.12上用ssh登陸到192.168.1.11上時,並沒有出現YOU ARE NOT ALLOWED TO ENTER THE COMPUTER。 查詢了很長時間的問題,但是依然沒有解決。
這樣 sshd: ALL :twist (/bin/echo "YOU ARE NOT ALLOWED TO ENTER THE COMPUTER"),也不行。
求高手解答