Using TCP Wrappers to secure Linux

October 08, 2005
TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network. It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny .

Let us consider this scenario: A remote machine remote_mc trying to connect to your local machine local_mc using ssh.

When the request from the remote_mc is received by the tcp wrapped service (SSH in this case), it takes the following basic steps:
  1. It checks the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule , it allows the connection. If no rule is found, it moves on to step 2.
  2. It checks the /etc/hosts.deny file and if a matching rule is found, it deny's the connection.
Points to remember
  • Rules in hosts.allow takes precedence over rules in hosts.deny . Which means if a matching rule is found in hosts.allow file, the remote_mc is allowed access to the service even if there is a matching deny rule in hosts.deny file.
  • You can have only one rule per service in hosts.allow and hosts.deny file.
  • If there are no matching rules in either of the files or if the files don't exist, then the remote_mc is allowed access to the service.
  • Any changes to hosts.allow and hosts.deny file takes immediate effect.
Rule Syntax
The syntax for both hosts.allow and hosts.deny file takes the following form:
daemon : client [:option1:option2:...]
Where daemon can be a combination of ssh daemon, ftp daemon, portmap daemon and so on. Basically any service which has support for libwrap.a library compiled into it is a good candidate for utilizing the services of TCP Wrappers.

client is a comma separated list of hostnames, host IP addresses, special patterns or special wildcards which identify the hosts effected by that rule.

options is an optional action like say sending mail to the administrator when this rule is matched, log to a particular file and so on. It can be a colon separated list of actions too.

Examples of using TCP Wrappers

I want to allow SSH access to hosts in a particular domain say and deny access to all the others. I enter the following rule in the hosts.allow file.
sshd :
... and in the hosts.deny file I include the rule:

sshd : ALL
The next rule denys FTP access to all the hosts in the domain as well as hosts in the network.

#FILE: /etc/hosts.deny
vsftpd : 192.168.1. , : spawn /bin/echo `/bin/date` access denied >> /var/log/vsftpd.log : deny
The backslash (\) in the above rule is used to break the line and prevents the failure of the rule due to length.

spawn and deny are options. Spawn launches a shell command as a child process. In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in the hosts.deny file.

Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
For example, you can use spawn option to send mail to the admin when ever a deny rule is matched.

You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

  • ALL - Matches everything
  • LOCAL - Matches any host that does not contain a dot (.) like localhost.
  • KNOWN - Matches any host where the hostname and host addresses are known or where the user is known.
  • UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.
  • PARANOID - Matches any host where the hostname does not match the host address.
You can also use patterns in the client section of the rule . Some examples are as follows:

Matches all hosts in the domain . Note the dot (.) at the beginning.

ALL : 123.12.
Matches all the hosts in the network. Note the dot (.) in the end of the rule.

IP address/Netmask can be used in the rule.

ALL : *
Asterisk * matches entire groups of hostnames or IP addresses.

sshd : /etc/sshd.deny
If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the file sshd.deny for all SSH connections.

If the above rule is included in the /etc/hosts.deny file, then it will allow ssh connection for only the machine with the IP address and block all other connections. Here EXCEPT is an operator.

Note: If you want to restrict use of NFS and NIS then you may include a rule for portmap . Because NFS and NIS depend on portmap for their successful working. In addition, changes to portmap rules may not take effect immediately.

Suppose I want to log all connections made to SSH with a priority of emergency. See my previous post to know more on logging. I could do the following:

sshd : : severity emerg
Note: You can use the options allow or deny to allow or restrict on a per client basis in either of the files hosts.allow and hosts.deny

in.telnetd : : deny
in.telnetd : : allow

Shell Commands
As mentioned above, you can couple the rules to certain shell commands by using the following two options.

spawn - This option launches a shell command as a child process. For example, look at the following rule:

sshd : : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny

Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.

twist - This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.

sshd : : twist /bin/echo "You are prohibited from accessing this service!!" : deny

When using spawn and twist, you can use a set of expressions. They are as follows :
%a — The client's IP address.
%A — The server's IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client's hostname (or IP address, if the hostname is unavailable).
%H — The server's hostname (or IP address, if the hostname is unavailable).
%n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client's username. If unavailable, unknown is printed.


  • Great article! This was very useful for myself as I was trying to restrict IP addresses using vsftp.


  • Very useful!

    Thanks a lot..


  • Excellent short TCP Wrappers tutorial!

    As an option, I want to mention that a little hack with DenyHosts allows dynamic blocking of brute force attacks on SSH. For details please check

  • Just a quick post to agree with the comments above. This is an excellent little tutorial on TCP wrappers.

    Thank you!

  • simple and to the they all should be!

  • I agree with the other folks; Well written and to the point. Very helpful.


  • Bhushan

    Practically useful and too the point

  • Great article! Just what I was looking for and more.

    Even as a seasoned admin I learned a few things here, showing me I should look under the hood of a few other day-to-day Unix tools I use

  • Fantastic article. To the point and well written. I now have more inisght into different DenyHosts configuration schemes.

  • very very thanks for this artical
    it helped me very much

    now tcp wrapper concept is very clear for me.

    very great effort