TCP Wrapper (hosts.allow & hosts.

deny) Command
Options in Linux
thegeekdiary.com/tcp-wrapper-hosts-allow-hosts-deny-command-options-in-linux/

admin

TCP wrappers are capable of more than allowing and denying access to services. With the
optional command argument, they can send connection banners, warn of attacks from
particular hosts, and enhance logging.

TCP wrapper banner for a service

To implement a TCP wrapper banner for a service, use the banner option. This example
implements a banner for vsftpd. You need to create a banner file anywhere on the system,
giving it the same name as the daemon. In this example, the file is called
/etc/banners/vsftpd and contains the following lines:

220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use results in access privileges being removed.

The %c token supplies a variety of client information. The %d token (not shown) expands
to the name of the daemon that the client attempted to connect to. For this banner to be
displayed to incoming connections, add the following line to the /etc/hosts.allow file:

# vi /etc/hosts.allow
vsftpd : ALL : banners /etc/banners/

TCP wrappers to warn from potential attacks

TCP wrappers can warn you of potential attacks from a host or network by using the spawn
directive. The spawn directive executes any shell command. In this example, access is
being attempted from the 200.182.68.0/24 network. Place the following line in the
/etc/hosts.deny file to deny any connection attempts from that network, and to log the
attempts to a special file:

# vi /etc/hosts.deny
ALL : 200.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert

To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.

Deny access and log connection attempt

The following entry in /etc/hosts.deny denies all client access to all services (unless
specifically permitted in /etc/hosts.allow) and logs the connection attempt:

# vi /etc/hosts.deny
ALL : ALL : spawn /bin/echo “%c tried to connect to %d and was blocked” >>
/var/log/tcpwrappers.log

1/2
The log level can be elevated by using the severity option. Assume that anyone attempting
to ssh to an FTP server is an intruder. To denote this, place an emerg flag in the log files
instead of the default flag, info, and deny the connection. To do this, place the following line
in /etc/hosts.deny:

# vi /etc/hosts.deny
sshd : ALL : severity emerg

This uses the default authpriv logging facility, but elevates the priority from the default value
of info to emerg, which posts log messages directly to the console.

Deny access from a specific domain

The following example states that if a connection to the SSH daemon (sshd) is attempted
from a host in the example.com domain, execute the echo command to append the attempt
to a special log file, and deny the connection. Because the optional deny directive is used,
this line denies access even if it appears in the /etc/hosts.allow file:

# vi /etc/hosts.allow
sshd : .example.com \
: spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \
: deny

Each option field (spawn and deny) is preceded by the backslash (\) to prevent failure of
the rule due to length.

Understanding TCP Wrappers (/etc/hosts.allow & /etc/hosts.deny) in Linux

2/2