The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
TCP wrappers provide basic filtering of incoming network traffic.
You can allow or deny access from other systems to certain
wrapped network services running on a Linux
server. A wrapped network service is one that has been compiled
against the libwrap.a
library. You can use the
ldd command to determine if a network service
has been wrapped as shown in the following example for the
sshd daemon:
# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f877de07000)
When a remote client attempts to connect to a network service on
the system, the wrapper consults the rules in the configuration
files /etc/hosts.allow
and
/etc/hosts.deny
files to determine if access is
permitted.
The wrapper for a service first reads
/etc/hosts.allow
from top to bottom. If the
daemon and client combination matches an entry in the file, access
is allowed. If the wrapper does not find a match in
/etc/hosts.allow
, it reads
/etc/hosts.deny
from top to bottom. If the
daemon and client combination matches and entry in the file,
access is denied. If no rules for the daemon and client
combination are found in either file, or if neither file exists,
access to the service is allowed.
The wrapper first applies the rules specified in
/etc/hosts.allow
, so these rules take
precedence over the rules specified in
/etc/hosts.deny
. If a rule defined in
/etc/hosts.allow
permits access to a service,
any rule in /etc/hosts.deny
that forbids access
to the same service is ignored.
The rules take the following form:
daemon_list
:client_list
[:command
] [: deny]
where daemon_list
and
client_list
are comma-separated lists
of daemons and clients, and the optional
command
is run when a client tries to
access a daemon. You can use the keyword ALL
to
represent all daemons or all clients. Subnets can be represented
by using the *
wildcard, for example
192.168.2.*
. Domains can be represented by
prefixing the domain name with a period (.
),
for example .mydomain.com
. The optional
deny
keyword causes a connection to be denied
even for rules specified in the
/etc/hosts.allow
file.
The following are some sample rules.
Match all clients for scp,
sftp, and ssh access
(sshd
).
sshd : ALL
Match all clients on the 192.168.2 subnet for FTP access
(vsftpd
).
vsftpd : 192.168.2.*
Match all clients in the mydomain.com
domain
for access to all wrapped services.
ALL : .mydomain.com
Match all clients for FTP access, and displays the contents of the
banner file /etc/banners/vsftpd
(the banner
file must have the same name as the daemon).
vsftpd : ALL : banners /etc/banners/
Match all clients on the 200.182.68 subnet for all wrapped
services, and logs all such events. The %c
and
%d
tokens are expanded to the names of the
client and the daemon.
ALL : 200.182.68.* : spawn /bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log
Match all clients for scp,
sftp, and ssh access, and
logs the event as an emerg
message, which is
displayed on the console.
sshd : ALL : severity emerg
Match all clients in the forbid.com
domain for
scp, sftp, and
ssh access, logs the event, and deny access
(even if the rule appears in /etc/hosts.allow
).
sshd : .forbid.com : spawn /bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny
For more information, see the hosts_access(5)
manual page.