Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux

TCP wrappers provide basic traffic filtering of incoming network traffic. Access to “wrapped” network services running on a Linux server from other systems can be allowed or denied. A TCP wrapped service is one that has been compiled against the libwrap.a library. Use the ldd command to determine whether a network service is linked to libwrap.a. The following example determines the absolute path name of the sshd service, and then lists the shared libraries linked to the sshd service, using the grep command to search for the libwrap library:

# which sshd


# ldd /sbin/sshd | grep libwrap
	libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f1fea580000)


Configuration files


TCP wrappers rely on two configuration files as the basis for access control:


  • /etc/hosts.allow
  • /etc/hosts.deny


When a client attempts to connect to a network service on a remote system, these files are used to determine whether client access is allowed or denied. Use /etc/hosts.allow and /etc/hosts.deny to define rules that selectively allow or deny clients access to server daemons on local system. The format for entries is as follows for both files:


daemon_list : client_list [: command]


A description of each field follows:

  • daemon_list: A comma-separated list of daemons, or keyword ALL for all daemons
  • client_list: A comma-separated list of clients, or keyword ALL for all clients
  • command: An optional command that is executed when a client tries to access a server daemon


To allow client access, add the client host name or IP address in /etc/hosts.allow. To deny client access, add its name or IP address in /etc/hosts.deny.


The /etc/hosts.allow file is read first and is read from top to bottom. If a daemon-client pair matches the first line in the file, access is granted. If the line is not a match, the next line is read and the same check is performed. If all lines are read and no match occurs, the /etc/hosts.deny file is read, starting at the top. If a daemon-client pair match is found in the deny file, access is denied. If no rules for the daemon-client pair are found in either file, or if neither file exists, access to the service is granted.


Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored. The following are some examples of entries in the /etc/hosts.allow file:


1. To allow clients on the 192.168.2 subnet to access FTP (daemon is vsftpd):

# vi /etc/hosts.allow
vsftpd : 192.168.2.*


 2. To allow all clients to access ssh, scp, and sftp (daemon is sshd):

# vi /etc/hosts.allow
sshd : ALL


3. Place the following entry in the /etc/hosts.deny file to deny FTP service to all clients except subnet 192.168.2.* (this assumes the previous entry of vsftpd:192.168.2.* exists in /etc/hosts.allow): 

# vi /etc/hosts.deny
vsftpd : ALL


 4. Use the .domain syntax to represent any hosts from a given domain. The following example allows connections to vsftpd from any host in the example.com domain (if the entry is in /etc/hosts.allow):

# vi /etc/hosts.allow
vsftpd : .example.com


If this entry appears in /etc/hosts.deny, the connection is denied. 


Was this answer helpful? 0 Users Found This Useful (0 Votes)