Restrict SSH Access Using tcpd (TCPWrapper) on Linux or Unix

How do I use tcpd on a Linux to restrict ssh access?

The tcpd is use to access control facility for internet services. The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, sshd and other services that have a one-to-one mapping onto executable files. Your sshd server must be configuring (compiled with) to support tcpd. You can find out tcpd (tcpwrapper) support easily with the following command:
# strings $(which sshd)| grep libwrap
Sample outputs:
libwrap refuse returns

If you see libwrap as output (as shown above) then you can use tcpd as follows to monitor incoming ssh requests.


Open or edit file /etc/hosts.deny using a text editor such as vi. This file lists hosts or IPs that are not allowed to access the system. In this example, you will block sshd server TCP port 22 for selected IPs.


Let us say you would like to deny access to IPs
# vi /etc/hosts.deny
Add/append the following line:


Save and close the file. Next, make sure your rules are correct and run syntax check using the following command:
# tcpdchk -v
Sample outputs:

Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.deny line 20:
daemons:  sshd
access:   denied
See also:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • starseeker Oct 29, 2008 @ 16:38

    I would prefer something like

    ldd $(which sshd) | grep wrap

    because its very unlikely to false-positive. Anyway, thanks for that information, it helped me a lot

  • Adrian Mar 4, 2010 @ 20:40

    Using network configuration file: /etc/inetd.conf

    >>> Rule /etc/hosts.allow line 1:
    daemons: sendmail
    clients: all
    access: granted

    >>> Rule /etc/hosts.deny line 21:
    daemons: sshd
    clients: ALL EXCEPT
    access: denied

    >>> Rule /etc/hosts.deny line 22:
    daemons: sshd
    access: denied

    >>> Rule /etc/hosts.deny line 23:
    daemons: sshd
    access: denied

    I have this .. but it doesen’t work :| What to do ?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum