Linux Security 101 : TCP wrappers

TCP wrappers oversee and control access to services that use the libwrap library.

We could check if a service is "wrapped" using the "lddcommand, which is a program that displays the shared libraries.

For example we see that the "sshd" services is "wrapped":

The TCP wrappers can control access to services using the below parameters:
  • DNS names
  • IP address
  • Network address
  • . . . . .
The TCP wrapper uses xinetd - eXtended Internet services Daemon -, that listens for incoming connections and then forwards them to the appropriate service.

When the service is "wrapped" the request is forwarded to the wrapped service and if the service is managed by xinetd, the request is handed over to the xinetd service which in turns hands it over to the destination service.

The TCP wrapper configuration access files:

TCP wrappers use two access files:

-/etc/hosts.allow : is checked f
irst, if the TCP wrapper doesn't find a match, it checks the "/etc/hosts.deny" file.
-/etc/hosts.deny : if the TCP wrapper finds a match the access to the service is denied.

If there are no rules that match our connection in either files, access is granted.

Below is the format of the access files:

Examples of access files:

Accepts connections to - sshd - from - -

Accepts connections to - sshd - from the whole network - -

Accepts connections to - imapd - and - httpd - services from - -

Below are a couple more examples:

For logging purposes, we could use the Action field for example in the "/etc/hosts.deny" file when receiving a connection from the host - -:

We could also use the Action field to start a new program when receiving the connection from the client - for example from the IP shown below -:

We could use the below parameters to display extra information about the client, for example:
  • %a : client IP address.
  • %s : server information


Leave as a comment: