服务的访问控制列表

1、在正式配置Tcp_wrappers服务前有两点原则必须要提前讲清楚，第一，在写禁止项目的时候一定要写上的是服务名称，而不是某种协议的名称，第二，推荐先来编写拒绝规则，这样可以比较直观的看到相应的效果。例如先来通过拒绝策略文件禁止下所有访问本机sshd服务的请求数据吧（无需修改原有的注释信息）：[root@linuxprobe ~]# vim /etc/hosts.deny## hosts.deny This file contains access rules which are used to# deny connections to network services that either use# the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## The rules in this file can also be set up in# /etc/hosts.allow with a 'deny' option instead.## See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrapperssshd:*[root@linuxprobe ~]# ssh 192.168.10.10ssh_exchange_identification: read: Connection reset by peer

2、接下来在允许策略文件中添加放行所有来自于192.168.10.0/24这个网段访问本机sshd服务请求的策略，咱们的服务器马上就允许了访问sshd服务的请求，效果非常直观：[root@linuxprobe ~]# vim /etc/hosts.allow## hosts.allow This file contains access rules which are used to# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrapperssshd:192.168.10.[root@linuxprobe ~]# ssh 192.168.10.10The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established.ECDSA key fingerprint is 70:3b:5d:37:96:7b:2e:a5:28:0d:7e:dc:47:6a:fe:5c.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts.root@192.168.10.10's password: Last login:Wed May 4 07:56:29 2017[root@linuxprobe~]#