In this article we will explain what TCP wrappers are and how to configure them to restrict access to network services running on a Linux server. Before we start, however, we must clarify that the use of TCP wrappers does not eliminate the need for a properly configured firewall.
2. TCP Wrapper
TCP Wrapper is an open source host-based ACL (Access Control List) system, which is used to restrict the TCP network services based on the hostname, IP address, network address, and so on. It decides which host should be allowed to access a specific network service. TCP Wrapper was developed by a Dutch programmer and physicist Wietse Zweitze Venema in 1990 at the Eindhoven University of Technology. He maintained it until 1995, and then released it under BSD License in 2001. In this brief guide, I will explain how to restrict access to Linux servers using TCP Wrappers.
3. Restrict Access To Linux Servers Using TCP Wrappers
TCP Wrappers implements the access control with the help of two configuration files: /etc/hosts.allow and /etc/hosts.deny.
The /etc/hosts.allow file
This file contains the list of allowed or non-allowed hosts or networks. It means that we can both allow or deny connections to network services by defining access rules in this file.
The /etc/hosts.deny file
This file contains the list of hosts or networks that are not allowed to access your Linux server. The access rules in this file can also be set up in /etc/hosts.allow with a ‘deny’ option.
The typical syntax to define an access rule is:
daemon_list : client_list : option : option ...
- daemon_list – The name of a network service such as SSH, FTP, Portmap etc.
- clients_list – The comma separated list of valid hostnames, IP addresses or network addresses.
- options – An optional action that specifies something to be done whenever a rule is matched.
The syntax is same for both files.
3.2. How to Use TCP Wrappers to Restrict Access to Services
the best practice to secure a Linux server is to block all incoming connections, and allow only a few specific hosts or networks. To do so, edit /etc/hosts.deny file:
sudo vi /etc/hosts.deny
Add the following line. This line refuses connections to ALL services and ALL networks.
Then, edit /etc/hosts.allow file:
sudo vi /etc/hosts.allow
and allow the specific hosts or networks of your choice.
sshd: 192.168.2.1 192.168.2.2
Also, you can specify valid hostnames instead of IP address as shown below.
sshd: server1.tutorials-space.com server2.tutorials-space.com