When a connection attempt is made to a TCP-wrapped service, the service first references the host’s access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.
When you open a local system to access from remote systems, you must ensure that the following criteria are met:
• Open the local system only to systems you want to allow to access it.
• Allow each remote system to access only the data you want it to access.
• Allow each remote system to access data only in the appropriate manner
For example, the following hosts.allow file allows anyone to connect to the OpenSSH daemon (ssh, scp, sftp)
but allows telnet connections only from the same network as the local system and users on the 192.168. subnet:
# vim /etc/hosts.allow sshd : ALL in.telnet : LOCAL in.telnet : 192.168.* 127.0.0.1
Examples For a more secure system, put the following line in hosts.deny to block all access:
# vim /etc/hosts.deny ALL : ALL : echo '%c tried to connect to %d and was blocked' >> /var/log/tcpwrappers.log
This line prevents any client from connecting to any service, unless specifically permitted in hosts.allow.
When a client requests a connection with a local server, the hosts.allow and hosts.deny files are consulted in the following manner until a match is found:
- If the daemon/client pair matches a line in hosts.allow, access is granted.
- If the daemon/client pair matches a line in hosts.deny, access is denied.
- If there is no match in either the hosts.allow or hosts.deny files, access is