TCP wrappers provide basic filtering of incoming network traffic. You can allow or deny
access from other systems to certain wrapped network services running on
a Linux server. A wrapped network service is one that has been compiled against the
libwrap.a
library. You can use the ldd command to
determine if a network service has been wrapped as shown in the following example for the
sshd
daemon:
# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f877de07000)
When a remote client attempts to connect to a network service on the system, the wrapper
consults the rules in the configuration files /etc/hosts.allow
and
/etc/hosts.deny
files to determine if access is permitted.
The wrapper for a service first reads /etc/hosts.allow
from top to
bottom. If the daemon and client combination matches an entry in the file, access is allowed.
If the wrapper does not find a match in /etc/hosts.allow
, it reads
/etc/hosts.deny
from top to bottom. If the daemon and client combination
matches and entry in the file, access is denied. If no rules for the daemon and client
combination are found in either file, or if neither file exists, access to the service is
allowed.
The wrapper first applies the rules specified in /etc/hosts.allow
, so
these rules take precedence over the rules specified in /etc/hosts.deny
. If
a rule defined in /etc/hosts.allow
permits access to a service, any rule in
/etc/hosts.deny
that forbids access to the same service is
ignored.
The rules take the following form:
daemon_list
:client_list
[:command
] [: deny]
where daemon_list
and client_list
are comma-separated lists of daemons and clients, and the optional
command
is run when a client tries to access a daemon. You can
use the keyword ALL
to represent all daemons or all clients. Subnets can be
represented by using the *
wildcard, for example
192.168.2.*
. Domains can be represented by prefixing the domain name with
a period (.
), for example .mydomain.com
. The optional
deny
keyword causes a connection to be denied even for rules specified in
the /etc/hosts.allow
file.
The following are some sample rules.
Match all clients for scp, sftp, and
ssh access
(sshd
).
sshd : ALL
Match all clients on the 192.168.2 subnet for FTP access
(vsftpd
).
vsftpd : 192.168.2.*
Match all clients in the mydomain.com
domain for access to all wrapped
services.
ALL : .mydomain.com
Match all clients for FTP access, and displays the contents of the banner file
/etc/banners/vsftpd
(the banner file must have the same name as the
daemon).
vsftpd : ALL : banners /etc/banners/
Match all clients on the 200.182.68 subnet for all wrapped services, and logs all such
events. The %c
and %d
tokens are expanded to the names
of the client and the
daemon.
ALL : 200.182.68.* : spawn /bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log
Match all clients for scp, sftp, and
ssh access, and logs the event as an emerg
message,
which is displayed on the
console.
sshd : ALL : severity emerg
Match all clients in the forbid.com
domain for scp,
sftp, and ssh access, logs the event, and deny access
(even if the rule appears in
/etc/hosts.allow
).
sshd : .forbid.com : spawn /bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny
For more information, see the hosts_access(5)
manual page.