Secure Tcp Wrapper

Posted on Sunday March 13, 2016 by Eric Potvin

TCP wrapper based its access List on Rules that can be included in the following two files:

  • /etc/hosts.allow
  • /etc/hosts.deny

The syntax for both /etc/hosts.allow and /etc/hosts.deny file are similar and are defined as follow:

daemon : client [:option1:option2:...]

For example, if you want to allow SSH from a specific IP (and/or a range of IPs) and deny access to all other IPs:

Put the following code in the /etc/hosts.allow:

sshd : 111.111, 222.222.222.222

and put this in the /etc/hosts.deny:

sshd : ALL

As a reminder, there is some rule you have to respect.

  • You can have only one rule per service in hosts.allow and hosts.deny file.
  • Any changes to hosts.allow and hosts.deny file takes immediate effect.
  • The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.