Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)

3.9.1 Problem

You want only particular remote hosts to access a TCP service via xinetd , when xinetd was compiled with libwrap support.

3.9.2 Solution

Control access via /etc/hosts.allow and /etc/hosts.deny. For example, to permit Telnet connections only from and hosts in the domain, add this to /etc/hosts.allow:

in.telnetd :
in.telnetd : *
in.telnetd : ALL : DENY

Then reset xinetd so your changes take effect. [Recipe 3.3]

3.9.3 Discussion

If you want to consolidate your access control in /etc/hosts.allow and /etc/hosts.deny, rather than use xinetd-specific methods [Recipe 3.8], or if you prefer the hosts.allow syntax and capabilities, this technique might be for you. These files support a rich syntax for specifying hosts and networks that may, or may not, connect to your system via specific services.

This works only if xinetd was compiled with libwrap support enabled. To detect this, look at the output of:

$ strings /usr/sbin/xinetd | grep libwrap
libwrap refused connection to %s from %s
%s started with libwrap options compiled in.

If you see printf-style format strings like the above, your xinetd has libwrap support.

3.9.4 See Also

xinetd(8), hosts.allow(5).

    Chapter 9. Testing and Monitoring