Configuring TCP Wrappers

Frequently used to monitor and control access to services listed in /etc/inetd.conf. The in.ftpd service might be wrapped using:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o

Before the in.telnetd daemon is spawned, tcpd first determines if the source is a permitted host. Connection attempts are sent to syslogd. All services should be disabled by default in /etc/hosts.deny using the following:

ALL: ALL

To send an email to the admin and report failed connection attempt:

ALL: ALL: /bin/mail \
-s “%s connection attempt from %c” admin@mydom.com

Enable specific services in /etc/hosts.allow using the service name followed by the host:

sshd: magneto.mydom.com, juggernaut.mydom.com
in.ftpd: 192.168.1.

Trailing period indicates entire network should be permitted. Use tcpdchk to verify your access files. A syslog entry will be created for failed attempts. Access control is performed in the following order:

• Access will be granted when a daemon/client pair matches an entry in
  the /etc/hosts.allow file.
• Otherwise, access will be denied when a daemon/client pair matches
  an entry in the /etc/hosts.deny file.
• Otherwise, access will be granted.

A non-existing access control file is treated as if it were an empty file. Thus, access control will be turned off if no access control files are present!