Redhat:TCP Wrappers

TCP Wrappers

TCP wrapper do what they suggest, protect services that use the TCP protocol. While TCP wrappers were originally created to protect the xinetd services, they can now protect any service linked to the libwarp.so.0 library.

TCP wrappers protection of services is defined in the hosts.allow and hosts.deny files.

Is a Service protected by TCP wrappers

To check is a service is protected by TCP warppers use the ldd command to see if the libwrap.so.0 library is linked to the service daemon.

[root@head ~]# ldd /usr/sbin/sshd | grep libwrap.so.0
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00002ac166be0000)

TCP Wrappers Configuration

Requests for services proctected by TCP wrappers are passed from the system to the TCP wrapper so check the access rules. TCP wrappers access rules are defined in two file hosts.allow and hosts.deny.

As you might expect hosts.allow defines those system able to access a service, and hosts.deny does the opposite. The hosts.allow file is read first and if the system is found it is allowed access even if it is defined in hosts.deny. To put this another way hosts.allow takes priority over hosts.deny. If a host is not found in either file it will be granted access.

Both files follow the same format

<daemon_list> : <client_list>
ALL:ALL  #Allows / Denies access to all services for all clients
sshd : 192.168.0.3   #Allows / Denies to the SSH service for host 192.168.0.3
rpc.mountd : 192.168.122.0/255.255.255.0 EXCEPT 192.168.122.50  # Access to the 192.168.122 network except 192.168.122.3