TCP_wrappers (212.4)

Candidates should be able to configure TCP Wrapper to allow connections to specified servers only from certain hosts or subnets.

Key Knowledge Areas

TCP Wrapper configuration files, tools and utilities

inetd configuration files, tools and utilities

The following is a partial list of the used files, terms and utilities:



Libwrap is a software library which provides tcp-wrapping services. Software can be written to use this library, and use the tcp-wrapping functions and configuration files. Daemons that have to be "wrapped" have to be linked to the libwrap library during compilation.

If a daemon is tcp-wrapper enabled can be determined with the following (example) command:

# ldd `which sshd` | grep libwrap => /lib/x86_64-linux-gnu/ (0x00007f88177a9000)

What do TCP wrappers do?

Before TCP wrappers were born, a daemon called inetd used to listen for incoming network connections and took it upon itself to start the appropriate server program when needed.

For security reasons, it became necessary to only allow certain types of incoming connections from certain hosts. The inetd daemon now listens to incoming requests and instead of starting the server program needed, inetd starts tcpd which does some additional checks (such as where the request came from). If tcpd determines that the connection should be honoured, the server program needed to honour the request is launched by tcpd.

What don't TCP wrappers do?

TCP wrappers do not protect against network sniffing because TCP wrappers do not encrypt network traffic. Use ssh encryption to prevent network sniffing.

Configuring inetd for use with TCP wrappers

For tcp-wrapper enabled daemons inetd can be configured to use tcp-wrappers. /etc/hosts.allow and /etc/hosts.deny (first match in that order) will be checked for access rules.

The following line in /etc/inetd.conf instructs inetd to listen on the FTP port and to start /usr/sbin/tcpdwith the /usr/sbin/wu-ftdp argument if a connection is made to the listening port:

ftp   stream  tcp nowait  root  /usr/sbin/tcpd  /usr/sbin/wu-ftpd -l

The lines of /etc/inetd.conf are made up of the following mandatory fields:

service name

This is the name of the service as specified in the file /etc/services, in this case ftp.

socket type

This is the socket type which should be one of stream, dgram, raw, rdm or seqpacket. In this case the socket type for ftp is stream.


This is the protocol type used as specified in the file /etc/protocols, in this case tcp.


For non datagram sockets this is always nowait.


This entry specifies which user/group the program should run with. In this case, root.

server program

This entry contains the pathname of the program to be executed by inetd when a request is made to that socket.

server program arguments

This is the program, with its command line arguments, that is to be started by inetd if the criteria are met. In this case, this is /usr/sbin/wu-ftpd -l.

/etc/hosts.allow and /etc/hosts.deny

/etc/hosts.allow, (daemon,client) pairs that are granted access.

/etc/hosts.deny, (daemon,client) pairs that are denied access.

The form of the rules in both files is the following:

daemon_list : client_list [ : shell_command ]

This is a list of one or more daemon process names or wildcards. Consult the man page of host_access(5) for details.


This is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address. Consult the man page of host_access(5) for details.


Command to be run by the shell when the rule matches.

The foreign_host_list can be of the following form:


Universal wildcard pattern.


In the context of: lists1 EXCEPT list2


This matches known addresses, after a succesfull DNS lookup.


The wildcard matches any hosts that does not contain a dot. Only local hosts.


Opposite of KNOWN.

hosts.allow and hosts.deny example

A simple setup would be to add ALL: ALL at the /etc/hosts.deny file. And only add hosts or domains in /etc/hosts.allow.


ALL : [::1]




The hosts.allow file is evaluated prior to hosts.deny. So if a match occurs in hosts.allow the connection can be made.


Service access is checked by hosts.allow and hosts.deny when using tcpd. Configuration of services is done in inetd.conf.

Configuring xinetd for use with tcp-wrappers

Xinetd stands for eXtended InterNET services Daemon and replaces the combination of inetd and tcpd. xinetd can do the same things and offers extra functionality such as: more sophisticated access control, preventing DoS attacks, extensive logging. For more information, take a look at the Xinetd Homepage .

Like with inetd /etc/hosts.allow and /etc/hosts.deny will be checked for access rules, but access rules can also be configured in the xinetd configuration files for the affected daemons.

The following options are supported in the xinetd files to control host access:

  • only_from - Allows the hosts specified to use the service.

  • no_access - Blocks these hosts from using this service.

  • access_times - Specifies the time range when a particular service may be used. The time range must be stated in a HH:MM-HH:MM format using 24-hour notation.

Copyright Snow B.V. The Netherlands