17.2. TCP Wrappers Configuration Files
/etc/hosts.allow. — The TCP wrapped service sequentially parses the
/etc/hosts.allowfile and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to the next step.
/etc/hosts.deny. — The TCP wrapped service sequentially parses the
/etc/hosts.denyfile. If it finds a matching rule, it denies the connection. If not, access to the service is granted.
- Because access rules in
hosts.alloware applied first, they take precedence over rules specified in
hosts.deny. Therefore, if access to a service is allowed in
hosts.allow, a rule denying access to that same service in
- The rules in each file are read from the top down and the first matching rule for a given service is the only one applied. The order of the rules is extremely important.
- If no rules for the service are found in either file, or if neither file exists, access to the service is granted.
- TCP wrapped services do not cache the rules from the hosts access files, so any changes to
hosts.denytake effect immediately without restarting network services.
/var/log/secure. This is also the case for a rule that spans multiple lines without using the backslash. The following example illustrates the relevant portion of a log message for a rule failure due to either of these circumstances:
warning: /etc/hosts.allow, line 20: missing newline or line too long
17.2.1. Formatting Access Rules
/etc/hosts.denyare identical. Any blank lines or lines that start with a hash mark (
#) are ignored, and each rule must be on its own line.
<daemon list>: <client list> [: <option>: <option>: ...]
- <client list> — A comma separated list of hostnames, host IP addresses, special patterns (refer to Section 188.8.131.52, “Patterns”), or special wildcards (refer to Section 184.108.40.206, “Wildcards”) which identify the hosts effected by the rule. The client list also accepts operators listed in Section 220.127.116.11, “Operators” to allow greater flexibility.
vsftpd : .example.com
vsftpd) from any host in the
example.comdomain. If this rule appears in
hosts.allow, the connection is accepted. If this rule appears in
hosts.deny, the connection is rejected.
sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny
\). Use of the backslash prevents failure of the rule due to length.
sshd) is attempted from a host in the
example.comdomain, execute the
echocommand (which logs the attempt to a special file), and deny the connection. Because the optional
denydirective is used, this line denies access even if it appears in the
hosts.allowfile. For a more detailed look at available options, refer to Section 17.2.2, “Option Fields”.
ALL— Matches everything. It can be used for both the daemon list and the client list.
LOCAL— Matches any host that does not contain a period (
.), such as localhost.
KNOWN— Matches any host where the hostname and host address are known or where the user is known.
UNKNOWN— Matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID— Matches any host where the hostname does not match the host address.
PARANOIDwildcards should be used with care as a disruption in name resolution may prevent legitimate users from gaining access to a service.
- Hostname beginning with a period (
.) — Placing a period at the beginning of a hostname matches all hosts sharing the listed components of the name. The following example applies to any host within the
ALL : .example.com
- IP address ending with a period (
.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the
ALL : 192.168.
- IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example applies to any host with an address range of
ALL : 192.168.0.0/255.255.254.0
ImportantWhen working in the IPv4 address space, the address/prefix length (prefixlen) pair declarations are not supported. Only IPv6 rules can use this format.
- [IPv6 address]/prefixlen pair — [net]/prefixlen pairs can also be used as a pattern to control access to a particular group of IPv6 addresses. The following example would apply to any host with an address range of
ALL : [3ffe:505:2:1::]/64
- The asterisk (
*) — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the
ALL : *.example.com
- The slash (
/) — If a client list begins with a slash, it is treated as a file name. This is useful if rules specifying large numbers of hosts are necessary. The following example refers TCP wrappers to the
/etc/telnet.hostsfile for all Telnet connections:
in.telnetd : /etc/telnet.hosts
hosts_accessman 5 page for more information.
18.104.22.168. Portmap and TCP Wrappers
portmap, do not use hostnames as
portmap's implementation of TCP wrappers does not support host look ups. For this reason, only use IP addresses or the keyword
ALLwhen specifying hosts in
portmapaccess control rules may not take affect immediately without restarting the
portmapto operate, so be aware of these limitations.
EXCEPT. It can be used in both the daemon list and the client list of a rule.
EXCEPToperator allows specific exceptions to broader matches within the same rule.
example.comhosts are allowed to connect to all services except
ALL: .example.com EXCEPT cracker.example.com
hosts.allowfile, clients from the 192.168.0.x network can use all services except for FTP:
ALL EXCEPT vsftpd: 192.168.0.
EXCEPToperators. This allows other administrators to quickly scan the appropriate files to see what hosts are allowed or denied access to services, without having to sort through