UNIX TCP Wrappers

Traditionally, UNIX systems allow any host, from anywhere, to connect to its various services (such as telnetd, ftpd, POP/IMAP). Since the majority of NRC’s systems are connected directly off the Internet, it means anyone may have access to the systems and their services.

To restrict who has access to which service, TCP wrappers are used to control which system has access to which service.

An access control file /etc/hosts.allow (or /etc/hosts.deny) contains a list of services, and a list of hosts/domains allowed (or denied) access to those services. Only hosts (and services) listed in /etc/hosts.allow are allowed execution by remote and local systems. A typical last line in the access crontrol file is

ALL : ALL : severity auth.crit : deny

which would deny access to all services/systems not mentioned prior to it. /etc/hosts.deny would also typically have that same last line.

This allows us to greatly enhance our control on who has access to which service on which system.