TCP Wrappers is a host-based access control system for network services on Linux.
It uses two files—/etc/hosts.allow and /etc/hosts.deny—to permit or block client connections.
In this guide you will learn how to write rules, test them with built-in commands, and make sure your services are secure.
Prerequisites
Before you begin:
- A Linux server with TCP Wrappers installed (package name is usually
tcpd) - Root or sudo access
- Basic command-line skills
1. How TCP Wrappers Works
TCP Wrappers intercepts connections for services that are linked with the libwrap library.
When a client attempts to connect, it checks /etc/hosts.allow first.
If no match is found, it checks /etc/hosts.deny.
If neither file matches, the connection is allowed.
2. Writing Rules in hosts.allow
Rules in /etc/hosts.allow have this format:
<service> : <client-list> [ : <command> ]
Example:
sshd : 192.168.1.0/24
vsftpd : .example.com : spawn /usr/bin/logger FTP connection from %h
ALL : 10.0.0.5
3. Writing Rules in hosts.deny
Rules in /etc/hosts.deny use the same format.
They apply only if no rule in hosts.allow matches.
Common practice is to block all other hosts:
ALL : ALL
4. Testing Your Rules
Use these tools to test and debug your rules:
- tcpdmatch
Shows whether a client would be allowed or denied for the named service.tcpdmatch sshd 203.0.113.10 - tcpdchk
Validates the syntax of your rule files.tcpdchk /etc/hosts.allow /etc/hosts.deny - Logging
Check/var/log/auth.logor/var/log/daemon.logfor allow/deny messages.
You can increase verbosity by adding: spawn logger ...in your rule.
5. Common Command-Line Options
Some services include built-in support for TCP Wrappers options.
For SSHD, ensure in /etc/ssh/sshd_config you have:
UsePAM yes
And that pam_access.so is enabled in /etc/pam.d/sshd.
This makes SSHD defer to your hosts.allow and hosts.deny rules.
Conclusion
With TCP Wrappers you can easily restrict access to network services on your Linux server.
By writing clear rules in /etc/hosts.allow and /etc/hosts.deny, and testing them with tcpdmatch and tcpdchk, you keep your system secure and under your control.
