• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux

by admin

TCP wrappers provide basic traffic filtering of incoming network traffic. Access to “wrapped” network services running on a Linux server from other systems can be allowed or denied. A TCP wrapped service is one that has been compiled against the libwrap.a library. Use the ldd command to determine whether a network service is linked to libwrap.a. The following example determines the absolute path name of the sshd service, and then lists the shared libraries linked to the sshd service, using the grep command to search for the libwrap library:

# which sshd
/sbin/sshd
# ldd /sbin/sshd | grep libwrap
	libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f1fea580000)

Configuration files

TCP wrappers rely on two configuration files as the basis for access control:

  • /etc/hosts.allow
  • /etc/hosts.deny

When a client attempts to connect to a network service on a remote system, these files are used to determine whether client access is allowed or denied. Use /etc/hosts.allow and /etc/hosts.deny to define rules that selectively allow or deny clients access to server daemons on local system. The format for entries is as follows for both files:

daemon_list : client_list [: command]

A description of each field follows:

  • daemon_list: A comma-separated list of daemons, or keyword ALL for all daemons
  • client_list: A comma-separated list of clients, or keyword ALL for all clients
  • command: An optional command that is executed when a client tries to access a server daemon

To allow client access, add the client host name or IP address in /etc/hosts.allow. To deny client access, add its name or IP address in /etc/hosts.deny.

The /etc/hosts.allow file is read first and is read from top to bottom. If a daemon-client pair matches the first line in the file, access is granted. If the line is not a match, the next line is read and the same check is performed. If all lines are read and no match occurs, the /etc/hosts.deny file is read, starting at the top. If a daemon-client pair match is found in the deny file, access is denied. If no rules for the daemon-client pair are found in either file, or if neither file exists, access to the service is granted.

Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored. The following are some examples of entries in the /etc/hosts.allow file:

1. To allow clients on the 192.168.2 subnet to access FTP (daemon is vsftpd):

# vi /etc/hosts.allow
vsftpd : 192.168.2.*

2. To allow all clients to access ssh, scp, and sftp (daemon is sshd):

# vi /etc/hosts.allow
sshd : ALL

3. Place the following entry in the /etc/hosts.deny file to deny FTP service to all clients except subnet 192.168.2.* (this assumes the previous entry of vsftpd:192.168.2.* exists in /etc/hosts.allow):

# vi /etc/hosts.deny
vsftpd : ALL

4. Use the .domain syntax to represent any hosts from a given domain. The following example allows connections to vsftpd from any host in the example.com domain (if the entry is in /etc/hosts.allow):

# vi /etc/hosts.allow
vsftpd : .example.com

If this entry appears in /etc/hosts.deny, the connection is denied.

TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. “device-mapper: resume ioctl failed: Invalid argument” – error on running lvcreate/lvresize/lvextend
  2. binwalk: command not found
  3. Understanding SELinux Policies in Linux
  4. How to take mailbox backup of Zimbra Account from CLI
  5. rc-status Command Examples in Linux
  6. Difference Between Qemu and KVM
  7. acpi Command Examples in Linux
  8. Linux OS Service ‘irqbalance’
  9. swapoff: command not found
  10. CentOS / RHEL : How to delete a volume group in LVM

You May Also Like

Primary Sidebar

Recent Posts

  • diffstat: Create a histogram from the output of the diff command
  • diffoscope: Compare files, archives, and directories
  • diff-pdf: Tool for comparing two PDFs
  • dict: Command line dictionary using the DICT protocol

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright