reference:
centos 安全配置應用之hosts.allow和hosts.deny
https://blog.csdn.net/yangjiehuan/article/details/9253855
通過配置hosts.allow和hosts.deny文件允許或禁止ssh或telnet操作
https://www.cnblogs.com/lsdb/p/7095288.html
http://witmax.cn/linux-ip-black-list.html
說明:
1.一個IP請求連入,linux的檢查策略是先看/etc/hosts.allow中是否允許,如果允許直接放行;如果沒有,則再看/etc/hosts.deny中是否禁止,如果禁止那麼就禁止連入。
2.實驗發現對/etc/hosts.allow和/etc/hosts.deny的配置不用重啓就立即生效,但不管重啓不重啓當前已有會話都不會受影響;也就是說對之前已經連入的,即便IP已配置爲禁止登錄會話仍不會強制斷開。不過不知是否所有linux都一樣,由此第四步標爲可選。
實踐:
操作環境:
Distributor ID: CentOS
Description: CentOS Linux release 7.7.1908 (Core)
Release: 7.7.1908
[root@localhost etc]# cat hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:10.1.100.*:allow
sshd:10.2.150.*:allow
sshd:10.3.200.*:allow
sshd:10.4.230.*:allow
sshd:10.5.240.*:allow
[root@localhost etc]#
[root@localhost etc]#
[root@localhost etc]#
[root@localhost etc]# cat hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:all