23.4 About TCP Wrappers

TCP wrappers provide basic filtering of incoming network traffic. You can allow or deny access from other systems to certain wrapped network services running on a Linux server. A wrapped network service is one that has been compiled against the libwrap.a library. You can use the ldd command to determine if a network service has been wrapped as shown in the following example for the sshd daemon:

# ldd /usr/sbin/sshd | grep libwrap
	libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f877de07000)

When a remote client attempts to connect to a network service on the system, the wrapper consults the rules in the configuration files /etc/hosts.allow and /etc/hosts.deny files to determine if access is permitted.

The wrapper for a service first reads /etc/hosts.allow from top to bottom. If the daemon and client combination matches an entry in the file, access is allowed. If the wrapper does not find a match in /etc/hosts.allow, it reads /etc/hosts.deny from top to bottom. If the daemon and client combination matches and entry in the file, access is denied. If no rules for the daemon and client combination are found in either file, or if neither file exists, access to the service is allowed.

The wrapper first applies the rules specified in /etc/hosts.allow, so these rules take precedence over the rules specified in /etc/hosts.deny. If a rule defined in /etc/hosts.allow permits access to a service, any rule in /etc/hosts.deny that forbids access to the same service is ignored.

The rules take the following form:

daemon_list : client_list [: command] [: deny]

where daemon_list and client_list are comma-separated lists of daemons and clients, and the optional command is run when a client tries to access a daemon. You can use the keyword ALL to represent all daemons or all clients. Subnets can be represented by using the * wildcard, for example 192.168.2.*. Domains can be represented by prefixing the domain name with a period (.), for example .mydomain.com. The optional deny keyword causes a connection to be denied even for rules specified in the /etc/hosts.allow file.

The following are some sample rules.

Match all clients for scp, sftp, and ssh access (sshd).

sshd : ALL

Match all clients on the 192.168.2 subnet for FTP access (vsftpd).

vsftpd : 192.168.2.*

Match all clients in the mydomain.com domain for access to all wrapped services.

ALL : .mydomain.com

Match all clients for FTP access, and displays the contents of the banner file /etc/banners/vsftpd (the banner file must have the same name as the daemon).

vsftpd : ALL : banners /etc/banners/

Match all clients on the 200.182.68 subnet for all wrapped services, and logs all such events. The %c and %d tokens are expanded to the names of the client and the daemon.

ALL : 200.182.68.* : spawn /bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log

Match all clients for scp, sftp, and ssh access, and logs the event as an emerg message, which is displayed on the console.

sshd : ALL : severity emerg

Match all clients in the forbid.com domain for scp, sftp, and ssh access, logs the event, and deny access (even if the rule appears in /etc/hosts.allow).

sshd : .forbid.com : spawn /bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny

For more information, see the hosts_access(5) manual page.