- 论坛徽章:
- 0
|
我们自己勤快些自己动手了,第三方的东东,算了,用自己的吧。。。
主要就是telnet嘛,先把相关的rsh,rlogin,rexec都关了,省了麻烦,
然后开始设置telnet的本地防火墙。
需求:
1.加入文件/etc/telnet.allow,里面包含允许telnet的IP地址
和网段(为简单起见,网段格式只支持XXX.XXX.XXX.0)
telnet.allow格式如下:
172.18.85.0 (网段)
172.18.89.22
...
2.加入文件/etc/telnet.log,记录位授权IP失败的telnet记录,
包括时间和IP。
好,开始动手。。。
首先改inetd.conf,用自己的程序接管in.telnetd,该程序定名为
in.telnetd.firewall,比较长呵呵。
相应inetd.conf中telnet那一行变为:
telnet stream tcp nowait root /usr/sbin/in.telnetd.firewall
in.telnetd.firewall
然后写in.telnetd.firewall.c,原理:先初始化授权地址表(函数InitAuthIP),
然后检查对方地址(函数getpeername)是否与表中地址匹配(函数IPIsAuthed),
若不匹配记下时间和对方地址并警告对方,否则将处理移交(系统调用execl)给
真实服务进程,即/usr/bin/in.telnetd。
# include
# include
# include
# include
# include
# include
# include
# define TRUE 0
# define FALSE -1
main( )
{
struct sockaddr_in it;
int itlen;
itlen = sizeof(struct sockaddr_in);
InitAuthIP("/etc/telnet.allow"); /* read authorized IPs */
/* check the source ip */
if (getpeername(0, (struct sockaddr *)&it, &itlen) < 0) {
perror("getpeername");
exit(-1);
}
if (IPIsAuthed(it.sin_addr.s_addr) == FALSE) {
InitLog("/etc/telnet.log");
PrLog("%s", inet_ntoa(it.sin_addr));
EndLog( );
}
if (IPIsAuthed(it.sin_addr.s_addr) == FALSE) {
InitLog("/etc/telnet.log");
PrLog("%s", inet_ntoa(it.sin_addr));
printf("Not on console, u have been loged, xixi...;)\n");
close(0);
exit(0);
}
execl("/usr/sbin/in.telnetd", "in.telnetd", (char *)0);
}
防火墙模块:ipauth.c
/************************************************************************/
/* ipauth.c, by digger */
/* ipauth read the file that include all IPs that authorized to access */
/* some services of localhost, the format is just like: */
/************************************************************************/
/* # this is one comments line begin with "#" */
/* 172.18.85.0 # allow subnet
/* 172.18.86.146 */
/* 172.18.86.145 */
/* ... */
/************************************************************************/
/* function InitAuthIP read the authorized IP into memory array, and */
/* function IPIsAuthed check if the given IP is authorized */
/************************************************************************/
# include
# include
# include
# include
# include
# include
# define MAXHOSTS 32
# define TRUE 0
# define FALSE -1
u_long AuthedIP[MAXHOSTS]; /* authorized IPs */
int AuthedIPNum; /* number of authorized IPs */
void InitAuthIP(char *file) /* read IP from file into memory array */
{
FILE *fp;
char sBuf[64];
char *tmp;
char *s;
u_long IP;
if ((fp = fopen(file,"r")) == NULL) {
fprintf(stderr, "fopen %s error, terminated\n", file);
exit(-1);
}
AuthedIPNum = 0;
while (AuthedIPNum < MAXHOSTS && !feof(fp) && fgets(sBuf, 64, fp)) {
tmp = sBuf;
s = strtok(tmp, " \t\r\n");
if (s == NULL) continue; /* ignore empty line */
if (s[0] == ‘#‘) continue; /* ignore commits line */
if ((IP = inet_addr(s)) != -1) {
AuthedIP[AuthedIPNum ++] = IP;
}
}
if (AuthedIPNum == 0) { /* default Authorized IP */
AuthedIP[0] = inet_addr("127.0.0.1");
AuthedIPNum ++ ;
}
fclose(fp);
}
int IPIsAuthed(u_long IP)
{
int i;
for (i = 0;i < AuthedIPNum;i ++) {
if ((AuthedIP & (u_long)255) == 0) { /* subnet */
if ((AuthedIP & IP) == AuthedIP)
break;
} else if (AuthedIP == IP) { /* ip */
break;
}
}
if (i == AuthedIPNum) return FALSE;
else return TRUE;
}
记录模块:log.c
#include
#include
#include
char logFileName[32];
FILE *fp;
void InitLog(char * sFileName)
{
sprintf(logFileName, sFileName);
if ((fp = fopen(logFileName,"a")) == NULL) {
fprintf(stderr,"open log file error\n");
exit(-1);
}
}
 %
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/18842/showart_110779.html |
|
免费注册
发表于 2006-05-10 17:42