A great way to keep potential threats at bay and make your server more secure is to employ TCP Wrappers. TCP Wrappers are a form of access control you can use – in conjunction with a firewall – to lock out unwanted users and increase your server security.
TCP Wrappers are similar to a firewall, in that you can allow and deny IPs or hosts, but different as they provide some additional options as well. TCP Wrappers use access rules in the hosts.allow file to allow or deny connections to network services that use the tcp_wrappers library, libwrap.
For example, you may want to allow someone access to FTP files to your server, but not want to allow them SSH, WHM, or any other kind of access. TCP Wrappers allow you to grant them access to FTP, or another specific feature, while denying them access to everything else.
You can create TCP Wrappers on the command line by adding to the /etc/host.allow file. Use of the hosts.deny file is now deprecated; all rules can be placed in the hosts.allow file.
A line in the hosts.allow file generally will look something like services, IP, and whether to allow or deny the connection:
sshd : 123.456.789.1 : allow
ftpd : 123.456.789.2 : deny
You can use domain names as well:
sshd : servint.net : allow
ftpd : badguys.com : deny
It is also possible to block an IP or domain from accessing any service on the server. Let’s adapt the line for badguys.com:
all : badguys.com : deny
If you need more information, your server contains a TCP Wrappers README file in /usr/share/doc/tcp_wrappers-<version> with more details on how TCP Wrappers work and their implementation.
TCP Wrappers should not replace a good system firewall, but can compliment one nicely to increase server security. There are more advanced configurations that allow you to return a message, log the activity, and even check IPs or domains against DNS. If you are a ServInt customer and would like assistance setting up a hosts.allow file, please open a ticket in your customer Portal and we would be glad to help.