2.6. TCP Wrappers and xinetd

download PDF
Controlling access to network services is one of the most important security tasks facing a server administrator. Red Hat Enterprise Linux provides several tools for this purpose. For example, an iptables-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server. This service is called a super server because it controls connections to a subset of network services and further refines access control.
Figure 2.4, “Access Control to Network Services” is a basic illustration of how these tools work together to protect network services.
Access Control to Network Services

Figure 2.4. Access Control to Network Services

For more information about using firewalls with iptables, see Section 2.8.9, “IPTables”.

2.6.1. TCP Wrappers

The TCP Wrappers packages (tcp_wrappers and tcp_wrappers-libs) are installed by default and provide host-based access control to network services. The most important component within the package is the /lib/ or /lib64/ library. In general terms, a TCP-wrapped service is one that has been compiled against the library.
When a connection attempt is made to a TCP-wrapped service, the service first references the host's access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.
If a client is allowed to connect, TCP Wrappers release control of the connection to the requested service and take no further part in the communication between the client and the server.
In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service.
Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Enterprise Linux are linked to the library. Such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd.


To determine if a network service binary is linked to, type the following command as the root user:
ldd <binary-name> | grep libwrap
Replace <binary-name> with the name of the network service binary. If the command returns straight to the prompt with no output, then the network service is not linked to
The following example indicates that /usr/sbin/sshd is linked to
~]# ldd /usr/sbin/sshd | grep libwrap => /lib/ (0x00655000) Advantages of TCP Wrappers

TCP Wrappers provide the following advantages over other network service control techniques:
  • Transparency to both the client and the wrapped network service — Both the connecting client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.
  • Centralized management of multiple protocols — TCP Wrappers operate separately from the network services they protect, allowing many server applications to share a common set of access control configuration files, making for simpler management.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.