TCP_WRAPPERS is configured in two files, /etc/hosts.allow and /etc/hosts.deny. These files contain rules that govern either all services or individual services. Like a firewall, it is usually good practice to adopt either a “block everything, only open what you need” mentality or an “open everything, block only what you don’t need” mentality when it comes to TCP_WRAPPERS. Here is an example of a sample configuration that blocks everything by default, but opens up access for a few services:

# more /etc/hosts.deny

# more /etc/hosts.allow
vsftpd: EXCEPT

The TCP_WRAPPERS files are read in real time by the servers that support them, so changes made to these files go into effect immediately. The example configuration denies all access by default, and then opens it up specifically for the sshd and vsftpd services. Users from everywhere except the system are allowed to connect to the sshd service, and all users on the network, except for, are allowed to connect to vsftpd.

Let’s assume that we have xinetd configured and running, with the imap configuration as listed earlier. In addition, the /etc/hosts.deny and /etc/hosts.allow files are the same as our example. Our server system has an IP address of, and our client system has an IP address of When an attempt is made to connect to the imap server on from, the connection times out. ...

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.