最新消息:

使用TCP Wrappers控制SSH访问

未分类 admin 4126浏览 0评论

使用openssh的TCP Wrappers support功能,可以通过配置/etc/hosts.allow和/etc/hosts.deny文件来控制哪些机器可以访问或哪些机器不可以访问服务器;

如只允许通过运维审计系统登录该服务器:
一、检查openssh是否支持tcp wrappers
# ldd /usr/sbin/sshd |grep wrap

 

        libwrap.so.0 => /lib64/libwrap.so.0 (0x000000357f200000)
有数据输出,说明支持,如没有数据输出,将不支持,需要在安装openssh时使用–with-tcp-wrappers参数。
二、修改配置
添加允许列表:
# vim /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
sshd:10.0.10.10  #为运维审计系统的IP地址
拒绝所有其他地址:
# vim /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
sshd:ALL  #ALL需大写
三、测试
在非运维审计系统上测试使用ssh登录这台服务器(10.0.33.2),将会有出错。
# ssh 10.0.33.2
ssh_exchange_identification: Connection closed by remote host
查看secure日志:
# Aug 20 16:44:17 localhost sshd[28333]: refused connect from 10.0.10.12 (10.0.33.2)

转载请注明:爱开源 » 使用TCP Wrappers控制SSH访问

您必须 登录 才能发表评论!