Linux平台实现简单的IP白名单策略
/etc/hosts.allow与/etc/hosts.deny的判定机制
- 读取
/etc/hosts.allow文件,从上到下读取:- 如果守护程序-客户端对与文件中的第一行匹配,则授予访问权限;
- 如果该行不匹配,则读取下一行并执行相同的检查;
- 如果读取了所有行,但没有匹配,则从顶部开始读取/etc/hosts.deny文件;
- 从上到下读取
/etc/hosts.deny文件:- 如果在
hosts.deny文件中找到守护程序-客户端对匹配,则拒绝访问; - 如果在两个文件中都找不到守护程序-客户端对的规则,或者如果两个文件都不存在,则授予对服务的访问权限。
- 如果在
白名单的配置策略
根据判定机制,配置策略可以是:在hosts.allow中配置IP白名单(逗号隔开),在hosts.deny中配置禁用所有IP(ALL):
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
ALL: IP地址白名单(xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx)
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL
或者使用EXCEPT命令仅配置hosts.deny:
ALL: ALL EXCEPT IP地址白名单(xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx)
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· .NET10 - 预览版1新功能体验(一)