TCP Wrappers to secure Linux

TCP Wrappers to secure Linux

by -
0 1622

What are TCP Wrappers?

TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network.

We can do that using Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . TCP Wrappers also allow run-time reconfiguration without restarting or reloading the services they protect.


  • Logging Connections that are monitored by TCP Wrappers are reported through the syslog facility.
  • Access Control – TCP Wrappers supports a simple form of access control that is based on pattern matching. You can even hook the execution of shell commands/script when a pattern matches.
  • Host Name Verification – TCP Wrappers  verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
  • Spoofing Protection.


TCP wrapper do not work with all apllications:

  • Programs or applications to be necessarily compiled with the libwrap library.
  • TCP wrappers do not support  RPC services over TCP

How to check for libwrap library ?

To check compatibility of given service with TCP wrapper  use command  ( example sshd)

[[email protected] ~]# which sshd


[[email protected] ~]# ldd /usr/sbin/sshd | grep libwrap => /lib/ (0x00cb5000)    <—This should come if service supports TCP Wrapper

The ldd command is used to see if is a dependency or not.

Note :  Here sshd service can be controlled by TCP Wrapper

Check compatibility for httpd service

[[email protected] ~]# which httpd


[[email protected] ~]# ldd /usr/sbin/httpd | grep libwrap     <—-No output means no dependency on TCP Wrapper

[[email protected] ~]#

How TCP Wrappers Work ?

When connections are attempted to a service using TCP wrappers, the following occurs (the following steps are important because order matters, and rules are processed line-by-line):

  1. The process will check the file /etc/hosts.allow. Access will be granted if a match is found in the /etc/hosts.allow file.
  2. The process will check the file /etc/hosts.deny. Access will be denied if a match is found in the /etc/hosts.deny file.
  3. In the event no matching rules apply, access will be granted.

Access control Syntax:
The syntax for both hosts.allow and hosts.deny file takes the following form:

 daemon : client [:option1:option2:…]

Where daemon can be a combination of ssh daemon, ftp daemon and so on.

client is a comma separated list of hostnames, host IP addresses, special patterns or special wildcards which identify the hosts effected by that rule.
options is an optional action like say sending mail to the administrator when this rule is matched, log to a particular file and so on. It can be a colon separated list of actions too.

Examples of using TCP Wrappers

Deny all Services:

By default /etc/hosts.allow and /etc/hosts.deny files is blank. So that all dependent service do not block with TCP Wrapper. Suppose I want to deny all services type:

We can watch activity by viewing log /var/log/messages

In file /etc/hosts.allow   should blank and in the file /etc/hosts.deny

/etc/hosts.allow    <—-should be blank



Here  all services will be blocked from all clients.

Allow sshd on, rest will be denied

I want to allow SSH access to hosts in a particular IP Address  and deny access to all the others. I enter the following rule in the : type

sshd :

sshd : ALL

  Allow only sshd from network except ipaddress

sshd: EXCEPT


Allow only sshd, ftp from ALL clients

sshd ,ftpd : ALL


 Allow all services from domain  excepts from domain

Can be used domain names instead of ipaadress



Note:  ALL : 192.168. (Matches all the hosts in the network. Note the dot (.) in the end of the rule)

The next rule denys FTP access to all the hosts in the  domain as well as hosts in the  network.

vsftpd : 192.168.0. , : spawn /bin/echo  `/bin/date` access denied >> /var/log/vsftpd.log : deny

Log and deny access 

ALL : \    : spawn (/bin/echo %a from %h attempted to access %d >> \      /var/log/connections.log) \    : deny

# tail –f /var/log/connections

::ffff: from ::ffff: attempted to access sshd
::ffff: from ::ffff: attempted to access sshd
::ffff: from ::ffff: attempted to access sshd

The backslash (\) in the above rule is used to break the line and prevents the failure of the rule due to length.

spawn and deny are options. Spawn launches a shell command as a child process. In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in the hosts.deny file.

Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
For example, you can use spawn option to send mail to the admin when ever a deny rule is matched.


You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

  • ALL – Matches everything
  • LOCAL – Matches any host that does not contain a dot (.) like localhost.
  • KNOWN – Matches any host where the hostname and host addresses are known or where the user is known.
  • UNKNOWN – Matches any host where the hostname or host address are unknown or where the user is unknown.
  • PARANOID – Matches any host where the hostname does not match the host address.

How Do I Examine My TCP Wrapper Configuration File?

Use the tcpdchk command to examine your TCP Wrapper configuration and report all of the potential and real problems it can find.
tcpdchk -v

Be carefull:

  • Put TCP Wrappers behind a firewall systems as TCP Wrappers is no substitute for netfilter(IPTABLES) or pf firewall
  • Never configure TCP Wrappers on firewall host.
  • TCP Wrappers is good for use in production server. Remember: always thoroughly test  before any security implementation:

Reference  sites:

Enjoy Linux…..It Works………..!!
(Do Share and comment if you find this post fruitful for you )
Download PDF

CEO, KV IT-Solutions Pvt. Ltd. | [email protected] | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “


0 1700

0 1355

0 1218


Leave a Reply