TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux

TCP wrappers are capable of more than allowing and denying access to services. With the optional command argument, they can send connection banners, warn of attacks from particular hosts, and enhance logging.


TCP wrapper banner for a service


To implement a TCP wrapper banner for a service, use the banner option. This example implements a banner for vsftpd. You need to create a banner file anywhere on the system, giving it the same name as the daemon. In this example, the file is called /etc/banners/vsftpd and contains the following lines:

220-Hello, %c
<220-All activity on is logged.
<220-Inappropriate use results in access privileges being removed.


The %c token supplies a variety of client information. The %d token (not shown) expands to the name of the daemon that the client attempted to connect to. For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:

# vi /etc/hosts.allow
vsftpd : ALL : banners /etc/banners/


TCP wrappers to warn from potential attacks


TCP wrappers can warn you of potential attacks from a host or network by using the spawn directive. The spawn directive executes any shell command. In this example, access is being attempted from the network. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:

# vi /etc/hosts.deny
ALL : : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert


To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.


Deny access and log connection attempt


The following entry in /etc/hosts.deny denies all client access to all services (unless specifically permitted in /etc/hosts.allow) and logs the connection attempt:

# vi /etc/hosts.deny
ALL : ALL : spawn /bin/echo “%c tried to connect to %d and was blocked” >> /var/log/tcpwrappers.log


The log level can be elevated by using the severity option. Assume that anyone attempting to ssh to an FTP server is an intruder. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection. To do this, place the following line in /etc/hosts.deny:

# vi /etc/hosts.deny
sshd : ALL : severity emerg


This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.


Deny access from a specific domain


The following example states that if a connection to the SSH daemon (sshd) is attempted from a host in the domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the /etc/hosts.allow file:

# vi /etc/hosts.allow
sshd : \
: spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ 
: deny


Each option field (spawn and deny) is preceded by the backslash (\) to prevent failure of the rule due to length.


Was this answer helpful? 0 Users Found This Useful (0 Votes)