TCP Wrappers is a host-based access control system for network services on Linux.
It uses two files—/etc/hosts.allow and /etc/hosts.deny—to permit or block client connections.
In this guide you will learn how to write rules, test them with built-in commands, and make sure your services are secure.

Prerequisites

Before you begin:

  • A Linux server with TCP Wrappers installed (package name is usually tcpd)
  • Root or sudo access
  • Basic command-line skills

1. How TCP Wrappers Works

TCP Wrappers intercepts connections for services that are linked with the libwrap library.
When a client attempts to connect, it checks /etc/hosts.allow first.
If no match is found, it checks /etc/hosts.deny.
If neither file matches, the connection is allowed.

2. Writing Rules in hosts.allow

Rules in /etc/hosts.allow have this format:

<service> : <client-list> [ : <command> ]

Example:

sshd    : 192.168.1.0/24
vsftpd  : .example.com : spawn /usr/bin/logger FTP connection from %h
ALL     : 10.0.0.5

3. Writing Rules in hosts.deny

Rules in /etc/hosts.deny use the same format.
They apply only if no rule in hosts.allow matches.
Common practice is to block all other hosts:

ALL : ALL

4. Testing Your Rules

Use these tools to test and debug your rules:

  • tcpdmatch
    tcpdmatch sshd 203.0.113.10
    Shows whether a client would be allowed or denied for the named service.
  • tcpdchk
    tcpdchk /etc/hosts.allow /etc/hosts.deny
    Validates the syntax of your rule files.
  • Logging
    Check /var/log/auth.log or /var/log/daemon.log for allow/deny messages.
    You can increase verbosity by adding : spawn logger ... in your rule.

5. Common Command-Line Options

Some services include built-in support for TCP Wrappers options.
For SSHD, ensure in /etc/ssh/sshd_config you have:

UsePAM yes

And that pam_access.so is enabled in /etc/pam.d/sshd.
This makes SSHD defer to your hosts.allow and hosts.deny rules.

Conclusion

With TCP Wrappers you can easily restrict access to network services on your Linux server.
By writing clear rules in /etc/hosts.allow and /etc/hosts.deny, and testing them with tcpdmatch and tcpdchk, you keep your system secure and under your control.

Was this answer helpful? 0 Users Found This Useful (0 Votes)