Professional Documents
Culture Documents
Understanding TCP Wrappers ( - Etc - Hosts - Allow & - Etc - Hosts - Deny) in Linux - The Geek Diary PDF
Understanding TCP Wrappers ( - Etc - Hosts - Allow & - Etc - Hosts - Deny) in Linux - The Geek Diary PDF
Linux
By admin (https://www.thegeekdiary.com/author/sandeep_patil/)
TCP wrappers provide basic tra c ltering of incoming network tra c. Access to “wrapped” network services
running on a Linux server from other systems can be allowed or denied. A TCP wrapped service is one that has
been compiled against the libwrap.a library. Use the ldd command to determine whether a network service is
linked to libwrap.a. The following example determines the absolute path name of the sshd service, and then
lists the shared libraries linked to the sshd service, using the grep command to search for the libwrap library:
# which sshd
/sbin/sshd
/etc/hosts.allow
/etc/hosts.deny
When a client attempts to connect to a network service on a remote system, these les are used to determine
whether client access is allowed or denied. Use /etc/hosts.allow and /etc/hosts.deny to de ne rules that
selectively allow or deny clients access to server daemons on local system. The format for entries is as follows
for both les:
Ad
We'll try closed
Adnot
by
to show
closed by that ad again
Stop seeing this ad
https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/ 1/4
1/29/2020 Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux – The Geek Diary
To allow client access, add the client host name or IP address in /etc/hosts.allow. To deny client access, add its
name or IP address in /etc/hosts.deny.
The /etc/hosts.allow le is read rst and is read from top to bottom. If a daemon-client pair matches the rst
line in the le, access is granted. If the line is not a match, the next line is read and the same check is performed.
If all lines are read and no match occurs, the /etc/hosts.deny le is read, starting at the top. If a daemon-client
pair match is found in the deny le, access is denied. If no rules for the daemon-client pair are found in either
le, or if neither le exists, access to the service is granted.
Because access rules in hosts.allow are applied rst, they take precedence over rules speci ed in hosts.deny.
Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in
hosts.deny is ignored. The following are some examples of entries in the /etc/hosts.allow le:
# vi /etc/hosts.allow
vsftpd : 192.168.2.*
https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/ 2/4
1/29/2020 Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux – The Geek Diary
2. To allow all clients to access ssh, scp, and sftp (daemon is sshd):
# vi /etc/hosts.allow
sshd : ALL
3. Place the following entry in the /etc/hosts.deny le to deny FTP service to all clients except subnet 192.168.2.*
(this assumes the previous entry of vsftpd:192.168.2.* exists in /etc/hosts.allow):
# vi /etc/hosts.deny
vsftpd : ALL
4. Use the .domain syntax to represent any hosts from a given domain. The following example allows
connections to vsftpd from any host in the example.com domain (if the entry is in /etc/hosts.allow):
# vi /etc/hosts.allow
vsftpd : .example.com
Y O U M AY A L S O L I K E
https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/ 3/4