TCP Wrappers

We are indebted to Rob Sellars for his excellent article: TCP Wrappers, Locked doors and a security camera for computer!

How does "tcp wrappers" work?  Many programs do not run all the time as they are infrequently used and would create unnecessary overhead.  The inetd program is run takes care of this nicely.  When a user tries to connect to your computer, the connection is made up of a pair of data: an ip address and a port. Inetd reacts to this connection by looking up the port number in /etc/services, and then looking in the file /etc/inetd.conf for a corresponding service, (program) and then runs the service. With tcp wrappers, inetd is tricked into running tcpd instead of the service that would normally be called. Tcpd checks it's rules in the /etc/hosts.allow and /etc/hosts.deny files. It either accepts the connection and runs the service or denies the connection based on it's rules.

NOTE: tcp wrappers only works for services that inetd starts! Sendmail, apache, and named do not use inetd, and so they are not protected via tcp wrappers.

Check to see if tcp wrappers is installed. Most distributions install tcp wrappers by default. The easiest way to see if tcp wrappers is installed is to view the /etc/inetd.conf file. If it is not installed, a typical line looks like this:

Do this:

ftp    stream  tcp     nowait  root    /usr/sbin/ftpd       ftpd -l -a

and if it is installed, it looks like this:

ftp    stream  tcp     nowait  root    /usr/sbin/tcpd       ftpd -l -a

The bolded part shows the difference. Assuming it is installed, you must edit your /etc/host.allow and /etc/host.deny files to give tcpd the rules it needs.

Edit your /etc/hosts.allow  and /etc/hosts.deny to limit access to your computer's network services.  One of the nice features of tcp wrappers is the ability to control access to your computers network services and log failed or successful attempts. You can also perform certain actions based on the users hostname.  When someone tries to connect to a network service on your computer, the tcp wrapper (tcpd) reads the file /etc/hosts.allow  for a rule that matches the the hostname of the person trying to connect, if /etc/hosts.allow doesn't contain a rule allowing access, tcpd reads /etc/hosts.deny for a rule that would deny access to the hostname. If neither file contains an accept or deny rule, access is granted by default.  It's important to note the sequence of events here.  "hosts.allow" is read first and overrides anything in "hosts.deny".  As you'll see, we tell the server to accept connections from specific machines in hosts.allow, but via hosts.deny we tell our server to refuse access to anyone for any reason.

In the following examples we are going to  deny all finger request, and deny telnet access to all users from  The format of the rules in the hosts.allow/hosts.deny files is as follows:

service: hostname : options
An example   /etc/hosts.allow  could look like the following:
ipop3d: ALL: ALLOW

in.telnetd: : ALLOW

Note: in the two rules above, each rule must be on ONE line, it may appear as more than one line here due to article formatting.

In the first line "ipop3d" is the service, the hostname is "ALL" which means the rule applies to all hosts, and finally we tell tcpd to "ALLOW" the connection.

The second rule follows the same format as the first, it allows access to telnet only for users from "".

Again: Each rule goes on it's own unbroken line.

The above example was given to explain rules tcp wrappers uses. Here is what I have on my server for /etc/hosts.allow:

# allow connections from my local network
# allow all connections from computers on my network

This file allows permissions based on ip addresses instead of services. Since it is a home network, all computers are trusted and listed. Obviously ip spoofing needs to be fixed or this method is not secure. I want all connects from outside my network denied and a message sent to me telling me what happened. My /etc/hosts.deny looks like this:

ALL:ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.deny.log |mail )
This needs to be on ONE line. And yes, I do get email from here - about two a week. They look like this:

Attempt from to in.ftpd at Mon Jul 5 21:44:54 EDT 1999