Liunx 操作系统如何限制IP登录与访问
云计算、移动互联网等概念的火热,网络安全以成为非常重要的技术。现在WEB服务中大量的使用Linux操作系统。哪么我们如何保证我们的WEB服务全安哪?
下面是我们常用的一个方法,可以供大家参考:限制IP登录端口。公司统一使用VPN连接服务器。
/etc/hosts.allow和/etc/hosts.deny
这两个文件是tcpd服务器的配置文件,tcpd服务器可以控制外部IP对本机服务的访问。这两个配置文件的格式如下:
#服务进程名:主机列表:当规则匹配时可选的命令操作
server_name:hosts-list[:command]
/etc/hosts.allow控制可以访问本机的IP地址,/etc/hosts.deny控制禁止访问本机的IP。如果两个文件的配置有冲突,以/etc/hosts.deny为准。下面是一个/etc/hosts.allow的示例:
ALL:127.0.0.1 #允许本机访问本机所有服务进程 smbd:192.168.0.0/255.255.255.0 #允许192.168.0.网段的IP访问smbd服务
ALL关键字匹配所有情况,EXCEPT匹配除了某些项之外的情况,PARANOID匹配你想控制的IP地址和它的域名不匹配时(域名伪装)的情况。
自己实验了一下,好像并不是这里所说的 有冲突一deny为准,最好允许的在allow中设定,不允许的就在deny中设定,这样比较安全!
etc/hosts.allow and /etc/hosts.deny
These two files specify which computers on the network can use services on your machine. Each line of the file is an entry listing a service and a set of machines. When the server gets a request from a machine, it does the following:
- It first checks hosts.allow to see if the machine matches a description listed in there. If it does, then the machine is allowed access.
- f the machine does not match an entry in hosts.allow, the server then checks hosts.deny to see if the client matches a listing in there. If it does then the machine is denied access.
- If the client matches no listings in either file, then it is allowed access.
In general, it is a good idea with NFS (as with most internet services) to explicitly deny access to hosts that you don't need to allow access to.
The first step in doing this is to add the following entry to /etc/hosts.deny:
portmap:ALL
Next, we need to add an entry to hosts.allow to give any hosts access that we want to have access. (If we just leave the above lines in hosts.deny then nobody will have access to NFS.) Entries in hosts.allow follow the format:
service: host [or network/netmask] , host [or network/netmask]
Here, host is IP address of a potential client; it may be possible in some versions to use the DNS name of the host, but it is strongly deprecated.
Suppose we have the setup above and we just want to allow access to huh.com and arakis.dune.com, and suppose that the IP addresses of these machines are 10.0.0.8 and.10.0.0.1, respectively. We could add the following entry to /etc/hosts.allow:
portmap: 10.0.0.8, 10.0.0.1
For recent nfs-utils versions, we would also add the following (again, these entries are harmless even if they are not supported):
lockd: 10.0.0.8, 10.0.0.1 rquotad: 10.0.0.8, 10.0.0.1 mountd: 10.0.0.8, 10.0.0.1 statd: 10.0.0.8, 10.0.0.1