Server Security

TCP Wrappers

A great way to keep potential threats at bay and make your server more secure is to employ TCP Wrappers. TCP Wrappers are a form of access control you can use – in conjunction with a firewall – to lock out unwanted users and increase your server security.

TCP Wrappers are similar to a firewall, in that you can allow and deny IPs or hosts, but different as they provide some additional options as well. TCP Wrappers use access rules in the hosts.allow file to allow or deny connections to network services that use the tcp_wrappers library, libwrap.

For example, you may want to allow someone access to FTP files to your server, but not want to allow them SSH, WHM, or any other kind of access. TCP Wrappers allow you to grant them access to FTP, or another specific feature, while denying them access to everything else.

You can create TCP Wrappers on the command line by adding to the /etc/host.allow file. Use of the hosts.deny file is now deprecated; all rules can be placed in the hosts.allow file.

A line in the hosts.allow file generally will look something like services, IP, and whether to allow or deny the connection:

sshd : 123.456.789.1 : allow
ftpd : 123.456.789.2 : deny

You can use domain names as well:

sshd : : allow
ftpd : : deny

It is also possible to block an IP or domain from accessing any service on the server. Let’s adapt the line for

all : : deny

If you need more information, your server contains a TCP Wrappers README file in /usr/share/doc/tcp_wrappers-<version> with more details on how TCP Wrappers work and their implementation.

TCP Wrappers should not replace a good system firewall, but can compliment one nicely to increase server security. There are more advanced configurations that allow you to return a message, log the activity, and even check IPs or domains against DNS. If you are a ServInt customer and would like assistance setting up a hosts.allow file, please open a ticket in your customer portal and we would be glad to help.

Photo by Sylwia Bartyzel

Find out more about ServInt solutions

Starting at $25

  • Hosting Advice
  • Computer World
  • Ars Technica

  • The New York Times
  • The Seattle Times
  • Bloomberg
  • The Hill

To engage with the ServInt Sales Team use the following chat icon. Normal sales hours are Monday-Friday 9am-5pm EST but feel free to leave a message and we will follow up as soon as possible.

Sales Chat

To engage with the ServInt Support Team you must be logged into our Customer Portal for identity verification and have a ticket opened about your request or there will only be limited support offered.

Support Chat