- 論壇徽章:
- 0
|
面對眾多的復(fù)雜環(huán)境���,客戶出于安全的考慮常常有很多特殊的需求�,其中一個最常碰到的問題就是“我能否按照IP Address來確定是否允許其訪問服務(wù)器����?”客戶通常可以根據(jù)用戶名或者pty來設(shè)置是否允許訪問����,但是如果不能做到以IP Address 來做�,那么當(dāng)服務(wù)器被連到網(wǎng)上就可能被攻擊���,F(xiàn)在我們要介紹一個非常出色的軟件 Tcp_Wrapper�,它可以幫助我們實現(xiàn)完善的服務(wù)器訪問策略���。但是在我們 AIX 系統(tǒng)光盤中并沒有包含這樣的軟件�����,Tcp_Wapper是在 Solaris, HP_UX以及 Linux中廣泛流行的免費軟件.我們強烈建議您把它作為您重要服務(wù)器的安全標(biāo)準(zhǔn)配置���。
Tcp_wrapper是Wietse Venema開發(fā)的一個可用于各種Unix平臺的免費軟件,說起Tcp_wrapper的誕生�����,到有個小小的故事�,大約在1990年,作者所在大學(xué)的服務(wù)器屢屢受到一個外來黑客侵入����, 因為受害主機的硬盤數(shù)據(jù)屢次被rm –rf / 命令整個抹掉���,所以找尋線索極為困難,直到有一天晚上Venema在工作的過程中無意中發(fā)現(xiàn)這個黑客在不斷的finger 受害主機����,偷窺受害者的工作,在那個時候一個想法誕生了:設(shè)計一個軟件��,使它可以截獲發(fā)起finger請求的IP��,用戶名等資料�����,Venema 很快投入了工作,而Tcp_wrapper也由此出現(xiàn)!在這以后�,Tcp_wrapper隨著應(yīng)用逐漸成為一種標(biāo)準(zhǔn)的Unix安全工具�����,成為unix守護程序inetd的一個插件.通過Tcp_wrapper,管理員可以設(shè)置對inetd提供的各種服務(wù)進行監(jiān)控和過濾.
下面我們介紹Tcp_Wrapper在AIX上的安裝和使用
第一步:下載
第二步:安裝
第三步:配置
第四步:測試
第一步:下載
http://ftp.univie.ac.at/aix/download/aix43/tcp_wrappers-7.6.1.0.exe
第二步:安裝
# ls
tcp_wrappers-7.6.1.0.exe
# chmod +x *exe
# ./tcp_wrappers-7.6.1.0.exe
UnZipSFX 5.32 of 3 November 1997, by Info-ZIP (Zip-Bugs@lists.wku.edu).
inflating: tcp_wrappers-7.6.1.0.bff
inflating: tcp_wrappers-7.6.1.0.bff.asc
# inutoc .
# installp -aXgd . all
+--------------------------------------------------------------------+
Pre-installation Verification...
+--------------------------------------------------------------------+
Verifying selections...done
Verifying requisites...done
Results...
SUCCESSES
---------
Filesets listed in this section passed pre-installation verification
and will be installed.
Selected Filesets
-----------------
freeware.tcp_wrappers.rte 7.6.1.0 # ----TCP/IP daemon security wrapp...
;>;
FILESET STATISTICS
------------------
1 Selected to be installed, of which:
----1 Passed pre-installation verification
----
1 Total to be installed
+--------------------------------------------------------------------+
Installing Software...
+--------------------------------------------------------------------+
installp: APPLYING software for:
--------freeware.tcp_wrappers.rte 7.6.1.0
. . . . . ;>; . . . . . . .
TCP WRAPPERS, version 7.6
Copyright (C) 1997 by Wietse Venema. All rights reserved.
(Some individual files may be covered by other copyrights.)
Plaese refer to the DISCLAIMER file delivered in the directory
/usr/local/lib/tcp_wrappers-7.6 for complete details. The README file
delivered in the same directory should also be read.
Packaging is Copyright (C) 1999 BULL SA. This LPP may not be redistributed
comercially. No warranty or support in any form is offered with this
LPP.
. . . . . ;>;. . . .
Finished processing all filesets. (Total time: 2 secs).
+-------------------------------------------------------------------+
Summaries:
+-------------------------------------------------------------------+
Installation Summary
--------------------
Name ------------------------Level ----Part---- -Event -----Result
--------------------------------------------------------------------
freeware.tcp_wrappers.rte -7.6.1.0 ----USR ------APPLY ----SUCCESS
第三步:配置
# vi /etc/inetd.conf
modifty the two lines from
ftp ----stream -tcp6 -nowait -root -/usr/sbin/ftpd -----ftpd
telnet -stream -tcp6 -nowait -root -/usr/sbin/telnetd -telnetd -a
to the following
ftp ----stream -tcp6 -nowait -root -/usr/local/bin/tcpd -ftpd
telnet -stream -tcp6 -nowait -root -/usr/local/bin/tcpd -telnetd –a
# vi /etc/hosts.deny
all:all
# vi /etc/hosts.allow
telnetd:192.168.0.201:allow
ftpd:192.168.0.201:allow
# refresh –s inetd
第四步:測試
# /usr/local/bin/tcpdmatch ftpd 9.185.43.221
client: address 9.185.43.221
server: process ftpd
access: denied
# /usr/local/bin/tcpdmatch ftpd 192.168.0.201
client: address 192.168.0.201
server: process ftpd
access: granted
# /usr/local/bin/tcpdmatch telnetd 9.185.43.221
client: address 9.185.43.221
server: process ftpd
access: denied
# /usr/local/bin/tcpdmatch telnetd 192.168.0.201
client: address 192.168.0.201
server: process ftpd
access: granted
以上只是對訪問控制文件的一個簡單示例,您可以參看Tcp_wrapper的相應(yīng)說明定制更為復(fù)雜并且有效的安全訪問策略.
本文來自ChinaUnix博客��,如果查看原文請點:http://blog.chinaunix.net/u1/41906/showart_423220.html |
|
免費注冊
發(fā)表于 2007-11-15 17:12