TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5) manual page.

Debian 中安装的很多服务可以:

On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.

To see which packages use tcpwrappers ^[25] try:

  $ apt-cache rdepends libwrap0

考虑到 tcpchk(非常有用的 CP wrappers 配置文件规则和符号检查器)的运行. 当您在 hosts.deny 和 hosts.allow 文件中添加独立的服务时(它们时 wrapper 库的符号连接), tcpdchk会因找不到那些服务而发出警告, 因为它通过 /etc/inetd.conf 查找(联机手册 不是很准确).

Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN ^[26] command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers:

  ALL: ALL: SPAWN ( \
    echo -e "\n\
    TCP Wrappers\: Connection refused\n\
    By\: $(uname -n)\n\
    Process\: %d (pid %p)\n\
    User\: %u\n\
    Host\: %c\n\
    Date\: $(date)\n\
  " | /usr/bin/mail -s "Connection to %d blocked" root) &

当心: 上边的例子对于短时间内建立许多连接的 Dos 攻击是开放的. 很多邮件就意味着很少的数据包就会浪费大量的文件 I/O.

  $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \
        sed 's/,libwrap0$//;s/^[[:space:]]\+//'