Previous page
Next page
Linux ClassRoom

Hi Friends Welcome To Linux World , In this Tutorial we will discuss TCP Wrappers & how to secure network service via TCP wrapper


What are TCP Wrapper ?


TCP Wrapper is a host-based networking ACL(Access Control List) system, It is used to filter network access to Internet Protocol servers on UNIX like operating systems such as CentOS,Ubuntu,RHEL,Fedora & Solaris. It allows host or subnetwork IP addresses & names query replies, to be used as tokens on which to filter for access control purposes.


TCP Wrapper is generally used to restrict unauthorized access to Linux server and Network services. Some of the advantages of  TCP Wrapper are listed below :

  • Transparency to both the client and the wrapped network service — Both the connecting client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.
  • Centralized management of multiple protocols — TCP Wrappers operate separately from the network services they protect, allowing many server applications to share a common set of access control configuration files, making for simpler management.
  • Logging - Connections that are monitored by tcpd are reported through the syslog facility.
  • Host Name Verification – It verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server are same or not.


Which  Services Can be controlled by TCP Wrapper :


In Linux like Operating System TCP wrapper packages : tcp_wrappers and tcp_wrappers-libs are installed by default. We can only control network  services which are complied against the libwrap.a library. To determine if a network service  is linked to libwrap.a, type the below  command as the root user:


#  ldd <Absolute-Path-to-Service> | grep libwrap

Use whereis command to determine the absolute path of the service like # whereis sshd


Example :

root@nextstep4it:~# ldd /usr/sbin/sshd | grep libwrap>/lib/x86_64-linux-gnu/ (0x00007f63fa836000)

In the above example as we can see that sshd service is complied with libwrap library , so we can control this service using TCP wrappers. Some of the other services which can controlled by TCP wrapper are /usr/sbin/sendmail, and /usr/sbin/xinetd.



Configuration files of TCP Wrapper :

There are two configuration files of TCP Wrapper : /etc/hosts.allow  & /etc/hosts.deny


  • /etc/hosts.allow - This file describes the names of the hosts which are allowed to use the local network services, as decided by the /usr/sbin/tcpd server.
  • /etc/hosts.deny - This file describes the names of the hosts which are NOT allowed to use the local network  services, as decided by the /usr/sbin/tcpd server.


    Note :
      If the same client  / ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted

Format or Syntax Used in Configuration Files :


<daemon list>: <client list> [: <option>: <option>: ...]

  • <daemon list> — A comma-separated list of process names ( not service names) or the ALL wildcard.
  • <client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule.
  • <option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior.

Most Common Wild Cards  used in TCP Wrapper config files are listed below :

  • ALL — Matches everything. It can be used for both the daemon list and the client list.
  • LOCAL — Matches any host that does not contain a period (.), such as localhost.
  • KNOWN — Matches any host where the hostname and host address are known or where the user is known.
  • UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.
  • PARANOID — Matches any host where the hostname does not match the host address.
Previous page
Next page