A Simple Introduction to TCP Wrappers

0993fb024232491eIn the world of Linux there are numerous ways that you can configure a Linux server to allow or deny access to a service, and while many people like to rely solely on Iptables, I wanted to take the opportunity to get my feet wet with TCP Wrappers. Note that this post is not meant to be the be-all end-all post on tcp wrappers. I am not going to review each and every configuration option, and trust me there are quite a few. Rather this is going to be a simple post which explains how to use tcp wrappers.

TCP Wrappers Configuration Files

First off you need to know that there are two configuration files for TCP wrappers. They are listed below.



To determine if a remote host is allowed to access a local service, the hosts.allow file referenced first, then the hosts.deny is referenced. Each file is read from the top down.

Rules in the hosts.allow take precedence over rules in the hosts.deny. Access will be granted for rules in the /etc/hosts.allow, and denied for rules in the /etc/hosts.deny ( note that this is not always the case, however this is how most people use tcpwrappers)

Basic rules are configured using the format below

<daemon list> : <client list> [: <option> : <option> ]

Below is a very simple and basic rule for sshd. In this example we want to allow all hosts in the domain fatmin.com to have access to sshd, and we want to deny sshd access to everyone else.

So in the /etc/hosts.allow

sshd : *.fatmin.com

and in /etc/hosts.deny

sshd: ALL

Creating Rule Matching Patterns

Ok, so what I have shown you above is a very simple example using a very simple matching rule, however there are actually quite a few ways to format a rule lets review a few of the more common ones that you might see.

Match by Hostname – All hosts below in the domain fatmin.com matched. Vsftpd is specified service

vsftpd: .fatmin.com

Match by IP address – All hosts in 192.168.x.x are matched. Vsftpd is specified service

vsftpd: 192.168.

Match by IP/Subnet – All hosts in are matched. Vsftpd is specified service


Match All – All Services and Hosts are matched.


What Services Use TCP Wrappers

Initially TCP Wrapper only “wrapped” services that were configured as part of inet.d, or xinet.d, but over time more and more processes have been configured to use librap.so. The example below shows how see if a daemon used libwrap, and can therefore be allowed or blocked via tcpwrappers.

Below we are locating the sshd binary and seeing if it uses libwrap. Which is does.

# whereis sshd

# ldd /usr/sbin/sshd | grep wrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f03f005d000)

Below we are locating the smbd binary and seeing if it uses libwrap. Which is does not.

# whereis smbd

# ldd /usr/sbin/smbd | grep wrap

Instead of checking one service at a time you can run the command below. Note that if a service is not installed, it will not show up

# strings -f /usr/sbin/* |grep hosts_access
/usr/sbin/rpc.mountd: hosts_access
/usr/sbin/sshd: hosts_access
/usr/sbin/tcpd: hosts_access_verbose
/usr/sbin/tcpdmatch: hosts_access_verbose
/usr/sbin/vsftpd: hosts_access
/usr/sbin/xinetd: hosts_access

Note that httpd, samba (smb) and nfs are not configured by default to use tcpwrappers (however it can be done but that is outside the scope of this post)

Configuration Examples

Below are are few more configuration examples that might be useful for reference.

Allow tftpd access from fatmin, and block everyone else.


in.tftpd : .fatmin.com


in.tftpd : .ALL

Allow SSH access from fatmin.com, but block from example.com. Also send log to sshd.log


sshd: .fatmin.com


sshd : .example.com  \
: spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \
: deny

Block tfpd access for all of fatmin.com except for server1.fatmin.com. Note that there is no corresponding hosts.allow entry needed.


tftpd .fatmin.com EXCEPT server1.fatmin.com