The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
TCP wrappers provide basic filtering of incoming network
traffic. You can allow or deny access from other systems to
certain wrapped network services running on
a Linux server. A wrapped network service is one that has been
compiled against the libwrap.a
library. You
can use the ldd command to determine if a
network service has been wrapped as shown in the following
example for the sshd daemon:
# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f877de07000)
When a remote client attempts to connect to a network service on
the system, the wrapper consults the rules in the configuration
files /etc/hosts.allow
and
/etc/hosts.deny
files to determine if access
is permitted.
The wrapper for a service first reads
/etc/hosts.allow
from top to bottom. If the
daemon and client combination matches an entry in the file,
access is allowed. If the wrapper does not find a match in
/etc/hosts.allow
, it reads
/etc/hosts.deny
from top to bottom. If the
daemon and client combination matches and entry in the file,
access is denied. If no rules for the daemon and client
combination are found in either file, or if neither file exists,
access to the service is allowed.
The wrapper first applies the rules specified in
/etc/hosts.allow
, so these rules take
precedence over the rules specified in
/etc/hosts.deny
. If a rule defined in
/etc/hosts.allow
permits access to a service,
any rule in /etc/hosts.deny
that forbids
access to the same service is ignored.
The rules take the following form:
daemon_list
:client_list
[:command
] [: deny]
where daemon_list
and
client_list
are comma-separated lists
of daemons and clients, and the optional
command
is run when a client tries to
access a daemon. You can use the keyword ALL
to represent all daemons or all clients. Subnets can be
represented by using the *
wildcard, for
example 192.168.2.*
. Domains can be
represented by prefixing the domain name with a period
(.
), for example
.mydomain.com
. The optional
deny
keyword causes a connection to be denied
even for rules specified in the
/etc/hosts.allow
file.
The following are some sample rules.
Match all clients for scp,
sftp, and ssh access
(sshd
).
sshd : ALL
Match all clients on the 192.168.2 subnet for FTP access
(vsftpd
).
vsftpd : 192.168.2.*
Match all clients in the mydomain.com
domain
for access to all wrapped services.
ALL : .mydomain.com
Match all clients for FTP access, and displays the contents of
the banner file /etc/banners/vsftpd
(the
banner file must have the same name as the daemon).
vsftpd : ALL : banners /etc/banners/
Match all clients on the 200.182.68 subnet for all wrapped
services, and logs all such events. The %c
and %d
tokens are expanded to the names of
the client and the daemon.
ALL : 200.182.68.* : spawn /bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log
Match all clients for scp,
sftp, and ssh access, and
logs the event as an emerg
message, which is
displayed on the console.
sshd : ALL : severity emerg
Match all clients in the forbid.com
domain
for scp, sftp, and
ssh access, logs the event, and deny access
(even if the rule appears in
/etc/hosts.allow
).
sshd : .forbid.com : spawn /bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny
For more information, see the hosts_access(5)
manual page.