Using TCP Wrappers hosts.allow and hosts.deny to secure RedHat / CentOS

RedHat / Centos and other similar Linux distros have 3 layers of protection that can restrict access to services (Iptables, TCP Wrappers (hosts.deny, hosts.allow) and SeLinux). When a machine on a network requests access to a specific service it first goes through Iptables, when access is granted it then goes through TCP Wrappers and then SeLinux is the last layer of protection. The best part about TCP wrappers is that it is English like and is very easy to understand. Here are some examples.

vsftpd : ALL EXCEPT 192.168.1.
mysqld : ALL EXCEPT
ALL : 192.168.
ALL : *
ALL :,,
ALL :,

Denies access and logs a failed attempt to /var/log/connections.log
sshd : \
: spawn (/bin/echo %a from %h attempted to access %d >> \
/var/log/connections.log) \
: deny

Example from the above rule:
[root@ ~]# ssh
ssh_exchange_identification: Connection closed by remote host
[root@nfs ~]# cat /var/log/connections.log from attempted to access sshd

Additional info:
TCP Wrappers will not work with httpd or squid, use iptables instead.
All of these rules can be placed in hosts.allow or hosts.deny
192.168. – Anything in the 192.168.x.x subnet will be allowed/denied access
192.168.1. – Anything in the 192.168.1.x subnet is allowed/denied access – Anything in the domain is denied/allowed access
* – Anything in the domain is denied/allowed access
Changes to the hosts.allow hosts.deny take effect immediately.
Only one rule is allowed per service in hosts.allow and hosts.deny.
Each rule has to be on a separate line.
You need to use both Iptables and TCP Wrappers for maximum protection.
Best way to test tcp wrappers is to stop Iptables and adjust the above rules.


This entry was posted in Linux and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *