Friday, February 4, 2011

TCP Wrappers: Securing Linux

This how-to describes configuring TCP Wrappers for providing Access Control for the supported services in a Linux box.TCP wrappers are supported by most of the Linux distributions such as Redhat Enterprise Linux, Ubuntu, SUSE, Debian, BSD and UNIX. TCP Wrappers work in the manner of a host-based Access Control List. They will allow host or network addresses to be used as indicators to filter and implement a layer of access control. They additionally extend the capabilities of xinetd-controlled daemons. By using this technique, connection attempts can be logged, restricted, and messages returned. This can add an extra layer of security in your environment. TCP Wrappers also allow run-time reconfiguration without restarting or reloading the services they protect.
The work flow of TCP wrappers

The TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library. In general terms, a TCP-wrapped service is one that has been compiled against the libwrap.a library.

 To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files:

            a. /etc/hosts.allow

            b. /etc/hosts.deny

 When connections are attempted to a service using TCP wrappers, the following occurs (the following steps are important because order matters, and rules are processed line-by-line):

          1. The process will check the file /etc/hosts.allow. Access will be granted if a match is found in the /etc/hosts.allow file.

          2. The process will check the file /etc/hosts.deny. Access will be denied if a match is found in the /etc/hosts.deny file.

         3. In the event no matching rules apply, access will be granted.

In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.

 The following are important points to consider when using TCP Wrappers to protect network services:

  •  Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored.
  • The rules in each file are read from the top down and the first matching rule for a given service is the only one applied. The order of the rules is extremely important.
  • If no rules for the service are found in either file, or if neither file exists, access to the service is granted.
  • TCP-wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately, without restarting network services.

Configuring TCP Wrappers in Linux


           daemon list: client list [: option: option: ...]

daemon list- This is a list of one or more daemon process names or wildcards

client list- This is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.


  1. That really good but
    i want to allow only one ip for ssh port 22 and other ip through can not be login how to do that ? please guide me

    1. Then you should be using IP Tables to allow connection only from one IP.!!!

    2. you can also set a rule in TCP wrapper file too..
      just put a entry on host.allow file

    3. Hi,

      That indeed was the entire post was about !!!!!