Restrict ssh access using tcpd (TCPWrapper)

by on January 31, 2006 · 2 comments· LAST UPDATED November 29, 2007

in , ,

tcpd is use to access control facility for internet services. The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, sshd and other services that have a one-to-one mapping onto executable files. Your sshd server must be configuring (compiled with) to support tcpd.

You can find out tcpd (tcpwrapper) support easily with following command:

# strings $(which sshd)| grep libwrap
libwrap refuse returns

If you get output libwrap (as above) then you can use tcpd as follows. Open file /etc/hosts.deny in text editor. This file list of hosts/IPs that are not allowed to access the system. In your case you will block sshd (port 22). Let us say you would like to deny access to IPs
# vi /etc/hosts.deny Add/append following line to file:sshd: and exit to shell prompt. Next make sure your rules are correct with the following command:
# tcpdchk -v

Using network configuration file: /etc/inetd.conf
>>> Rule /etc/hosts.deny line 20:
daemons:  sshd
access:   denied

See also:

Tweet itFacebook itG+ itDownload PDF versionFound an error/typo on this page?

{ 2 comments… read them below or add one }

1 starseeker October 29, 2008 at 4:38 pm

I would prefer something like

ldd $(which sshd) | grep wrap

because its very unlikely to false-positive. Anyway, thanks for that information, it helped me a lot


2 Adrian March 4, 2010 at 8:40 pm

Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 1:
daemons: sendmail
clients: all
access: granted

>>> Rule /etc/hosts.deny line 21:
daemons: sshd
clients: ALL EXCEPT
access: denied

>>> Rule /etc/hosts.deny line 22:
daemons: sshd
access: denied

>>> Rule /etc/hosts.deny line 23:
daemons: sshd
access: denied

I have this .. but it doesen’t work :| What to do ?


Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: