TCP Wrappers

Access Rules Formation

The format for both /etc/hosts.allow and /etc/hosts.deny is identical. Each rule must be on its own line. Blank lines or lines that start with a hash (#) are ignored.

Each rule uses the following basic format to control access to network services:

: [::: …]

The following is a basic sample hosts access rule:

sshd : .xyz.com

This rule instructs TCP Wrappers to watch for connections to the SSH daemon (sshd) from any host in the
xyz.com domain. If this rule appears in hosts.allow, the connection is accepted. If this rule appears in hosts.deny, the connection is rejected.

The next sample hosts access rule is more complex and uses two option fields:

sshd : .xyz.com  : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log  : deny

This sample rule states that if a connection to the SSH daemon (sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the hosts.allow file.