• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux

by admin

TCP wrappers are capable of more than allowing and denying access to services. With the optional command argument, they can send connection banners, warn of attacks from particular hosts, and enhance logging.

TCP wrapper banner for a service

To implement a TCP wrapper banner for a service, use the banner option. This example implements a banner for vsftpd. You need to create a banner file anywhere on the system, giving it the same name as the daemon. In this example, the file is called /etc/banners/vsftpd and contains the following lines:

220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use results in access privileges being removed.

The %c token supplies a variety of client information. The %d token (not shown) expands to the name of the daemon that the client attempted to connect to. For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:

# vi /etc/hosts.allow
vsftpd : ALL : banners /etc/banners/

TCP wrappers to warn from potential attacks

TCP wrappers can warn you of potential attacks from a host or network by using the spawn directive. The spawn directive executes any shell command. In this example, access is being attempted from the 200.182.68.0/24 network. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:

# vi /etc/hosts.deny
ALL : 200.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert

To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.

Deny access and log connection attempt

The following entry in /etc/hosts.deny denies all client access to all services (unless specifically permitted in /etc/hosts.allow) and logs the connection attempt:

# vi /etc/hosts.deny
ALL : ALL : spawn /bin/echo “%c tried to connect to %d and was blocked” >> /var/log/tcpwrappers.log

The log level can be elevated by using the severity option. Assume that anyone attempting to ssh to an FTP server is an intruder. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection. To do this, place the following line in /etc/hosts.deny:

# vi /etc/hosts.deny
sshd : ALL : severity emerg

This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

Deny access from a specific domain

The following example states that if a connection to the SSH daemon (sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the /etc/hosts.allow file:

# vi /etc/hosts.allow
sshd : .example.com \
: spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ 
: deny

Each option field (spawn and deny) is preceded by the backslash (\) to prevent failure of the rule due to length.

Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. Manual Changes Made To /etc/hosts Or /etc/sysconfig/network-scripts/ifcfg-* Are Lost
  2. “WARNING: Failed to connect to lvmetad. Falling back to device scanning” – error while running LVM commands
  3. After Reboot RAID1 Disk Gets Removed/Out of Sync (CentOS/RHEL)
  4. How to view past performance with sar in Linux
  5. CentOS / RHEL : How To Shrink LVM Root File System
  6. CentOS / RHEL : Beginners guide to vsftpd (installation and configuration)
  7. Active FTP vs. Passive FTP
  8. How to Check if a Service Restart or Server Reboot is required After RPM Package Update (CentOS/RHEL/Fedora)
  9. How to Create a New /boot Partition in CentOS / RHEL
  10. Linux OS Service ‘nfslock’

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright