Server Security

TCP Wrappers

by Bill Brooks  • 

A great way to keep potential threats at bay and make your server more secure is to employ TCP Wrappers. TCP Wrappers are a form of access control you can use – in conjunction with a firewall – to lock out unwanted users and increase your server security.

TCP Wrappers are similar to a firewall, in that you can allow and deny IPs or hosts, but different as they provide some additional options as well. TCP Wrappers use access rules in the hosts.allow file to allow or deny connections to network services that use the tcp_wrappers library, libwrap.

For example, you may want to allow someone access to FTP files to your server, but not want to allow them SSH, WHM, or any other kind of access. TCP Wrappers allow you to grant them access to FTP, or another specific feature, while denying them access to everything else.

You can create TCP Wrappers on the command line by adding to the /etc/host.allow file. Use of the hosts.deny file is now deprecated; all rules can be placed in the hosts.allow file.

A line in the hosts.allow file generally will look something like services, IP, and whether to allow or deny the connection:

sshd : 123.456.789.1 : allow
ftpd : 123.456.789.2 : deny

You can use domain names as well:

sshd : : allow
ftpd : : deny

It is also possible to block an IP or domain from accessing any service on the server. Let’s adapt the line for

all : : deny

If you need more information, your server contains a TCP Wrappers README file in /usr/share/doc/tcp_wrappers-<version> with more details on how TCP Wrappers work and their implementation.

TCP Wrappers should not replace a good system firewall, but can compliment one nicely to increase server security. There are more advanced configurations that allow you to return a message, log the activity, and even check IPs or domains against DNS. If you are a ServInt customer and would like assistance setting up a hosts.allow file, please open a ticket in your customer portal and we would be glad to help.

Photo by Sylwia Bartyzel

Find out more about ServInt solutions

Starting at $69

  1. It's easy to lock down your server with TCP Wrappers, in this week's Tech Bench.
  2. Using tcp_wrappers (while sometimes inconvenient) was one of the best security choices we made when it was suggested by Giles nearly 10 years ago.
  3. Allow or deny IP addresses or hosts to to specific services on your VPS, with TCP Wrappers.
  4. A simple way to increase your server security: TCP Wrappers, this week on the #TechBench.
Start the conversation

Bill Brooks

Bill Brooks

Escalated Technician, ServInt

Bill Brooks is an Escalated Technician and the Continuing Education Facilitator for ServInt’s Managed Services Team. He is a life-long tech enthusiast and enjoys music, video games and hockey on the side.

  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica