back  main  next
tcp-wrappers
Tcp-wrappers is used to deny access to hackers that try to connect to services on your server, like ssh, telent, ftp etc. It is not actually a firewall, but then on the other hand it is. This is actually very easy to setup. In /etc/ there are two files you need to edit, hosts.allow and hosts.deny. Hosts.allow is where you list ip addresses of machines that should be allowed to connect to a particular service. Hosts.deny is where you list machines that should not connect to a particualr service. The files are checked in order, hosts.allow first and hosts.deny second. The first rule that is found to match the client in question is followed. So, typically, you would allow explicit access in hosts.allow and deny all in hosts.deny. Use the following example as a template.

edit hosts.allow to look like this
sshd: 155.21.52., 132.12.64.2
this will allow anyone from the subnet 155.21.52 to connect to sshd (the ssh daemon) and 132.12.64.2 as well

edit hosts.deny to look like this
ALL: ALL
this will deny all hosts access to all services that tcp-wrappers controls exept services and hosts that are listed in /etc/hosts.allow. This is typically any service listed in /etc/xinetd and any service that uses the library libwrap. Of course the ssh daemon uses libwrap. You want to use tcp-wrappers on anything that connects to your box exept web traffic, which will not run through tcp wrappers by default anyhow, this would be ssh, ftp, telnet, etc. There is no need to reboot or restart any services for tcp-wrappers changes to take effect. As soon as the changes are saved, all new connections will be filtered by the criteria that you specified.

back  main  next