Configuration

TCP_WRAPPERS is configured in two files, /etc/hosts.allow and /etc/hosts.deny. These files contain rules that govern either all services or individual services. Like a firewall, it is usually good practice to adopt either a “block everything, only open what you need” mentality or an “open everything, block only what you don’t need” mentality when it comes to TCP_WRAPPERS. Here is an example of a sample configuration that blocks everything by default, but opens up access for a few services:

# more /etc/hosts.deny
ALL: ALL

# more /etc/hosts.allow
sshd: ALL EXCEPT 192.168.1.10
vsftpd: 192.168.1.0/24 EXCEPT 192.168.1.10

The TCP_WRAPPERS files are read in real time by the servers that support them, so changes made to these files go into effect immediately. The example configuration denies all access by default, and then opens it up specifically for the sshd and vsftpd services. Users from everywhere except the system 192.168.1.10 are allowed to connect to the sshd service, and all users on the 192.168.1.0/24 network, except for 192.168.1.10, are allowed to connect to vsftpd.

Let’s assume that we have xinetd configured and running, with the imap configuration as listed earlier. In addition, the /etc/hosts.deny and /etc/hosts.allow files are the same as our example. Our server system has an IP address of 10.0.0.1, and our client system has an IP address of 10.0.0.112. When an attempt is made to connect to the imap server on 10.0.0.1 from 10.0.0.112, the connection times out. ...

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.