Originally Published: Thursday, 27 May 1999 Author: Michael J. Wise
Published to: featured_articles/Featured Articles Page: 1/1 - [Std View]

TCP Wrappers for Security

This article describes how to use TCP wrappers to tighten the security of the machine's services. They work by checking the hostname of who is trying to get in and compare it to preconfigured access files using the tcpd daemon....

This article describes how to use TCP wrappers to tighten the security of the machine's services. They work by checking the hostname of who is trying to get in and compare it to preconfigured access files using the tcpd daemon. Only services activated by inetd can use TCP wrappers. This article does not address installing them, as all Linux distributions I am aware of install these by default. If you need to download and install them, they are available at ftp.cert.org.

Basic Use

TCP wrappers use two files as rules to what machines can and cannot get into your machine. They are found in /etc and are called hosts.allow and hosts.deny. Most distributions ship these being completely empty, meaning that anyone can get into your computer. There are also two main possible configurations: a mostly open configuration and a mostly closed configuration. I recommend that the vast majority of users use a mostly closed configuration because it is far more effective for security.

Syntax for "Mostly Closed" system

Here is a basic mostly closed configuration that is usually most effective.

In hosts.deny, the following is put:


The first argument says that it is a rule for ALL the services defined in inetd.conf. The second argument says that it applies for ALL hosts. This basically closes your computer to any external contact. Now, say you want somebody from www.a-random-isp.com to have access to your computer, then you'd put this is the hosts.allow file:

ALL: .a-random-isp.com

The first argument says that this applies for ALL the services. The second argument lets anyone under the a-random-isp.com domain to access your machine. Now, say you want everybody to be able to telnet in. Then you would put this is hosts.allow: (assuming that ALL:ALL is still in hosts.deny)


The first argument says the only the telnet service is affected. (The general form for any service to put in these files is in.serviced ) The next argument says that ALL people can use the telnet service on your machine. For a final example, let's say you want people from asdf.some-server.com to be able to use the IMAP mail service from your machine, then you'd put the following in hosts.allow:


Using these examples, you can build a usable secure system. You can skip the next part if it doesn't apply to you.

Syntax for "Mostly Open" system

This configuration should only be used for machines that are used by a large number of people remotely, where you only want to block out a few "trouble" domains.

The following is added to hosts.allow:


This allows all people to access all services, then you could block out people and services selectively in hosts.deny. For example, say bigbadhackers.com is trying to crack into your system, then you would add the following to hosts.deny:

ALL: .bigbadhackers.com

For the final example, say that IMAP serves no purpose except as a security hazard, then you would put this in your hosts.deny file:


Remember, I recommend the mostly closed configuration for the vast majority of people.

Reminders and Pitfalls

When using wildcards, remember not to use an asterisk.

Right: ALL: .some-place.com
Wrong: ALL: *.some-place.com

Use tcpdchk and tcpdmatch to test your configuration files for errors and to simulate requests for services. See the man pages for details on how to use them properly.

If host name lookup (DNS) fails, your system may be able to be compromised by people who "spoof" addresses. Put your hosts into the /etc/hosts file to prevent this from happening. Another way to remedy this is to put ALL:PARANOID into your hosts.deny file. This does a lookup on the supposed address someone is coming from, then reverse looks up the IP address the IP suppossedly belongs and makes sure the two hostnames match. This is generally a good thing to have enabled, no matter what configuration you're using.

TCP wrappers only work for services controlled by inetd. Note that famous programs like apache, ssh, and sendmail do not use inetd. They have their own methods of security to be used.


The use of TCP wrappers is a cheap way to make your system secure. Remember, always check your changes when making changes to your configuration files! This is only a basic introduction to TCP wrappers. If you have the time, the necessity, and the will, there isn't much you can't accomplish without TCP wrappers. Good luck!

Related links