Option Fields
In addition to basic rules that allow and deny access, the Community Enterprise Linux implementation of TCP Wrappers supports extensions to the access control language through option fields. By using option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering log behavior, consolidating access control, and launching shell commands.
Option fields let administrators easily change the log facility and priority level for a rule by using the In the following example, connections to the SSH daemon from any host in the It is also possible to specify a facility using the In practice, this example does not work until the syslog daemon ( Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the For example, the following two rules allow SSH connections from By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either Option fields allow access rules to launch shell commands through the following two directives:
In the following example, clients attempting to access Telnet services from the In the following example, clients attempting to access FTP services from the For more information about shell command options, refer to the Expansions, when used in conjunction with the The following is a list of supported expansions:
The following sample rule uses an expansion in conjunction with the When connections to the SSH daemon ( Similarly, expansions can be used to personalize messages back to the client. In the following example, clients attempting to access FTP services from the For a full explanation of available expansions, as well as additional access control options, refer to section 5 of the man pages for Refer to "Additional Resources" for more information about TCP Wrappers.
Logging
severity directive.
example.com domain are logged to the default authpriv syslog facility (because no facility value is specified) with a priority of emerg:
sshd : .example.com : severity emerg
severity option. The following example logs any SSH connection attempts by hosts from the example.com domain to the local0 facility with a priority of alert:
sshd : .example.com : severity local0.alert
syslogd) is configured to log to the local0 facility. Refer to the syslog.conf man page for information about configuring custom log facilities.Access Control
allow or deny directive as the final option.
client-1.example.com, but deny connections from client-2.example.com:
sshd : client-1.example.com : allow
sshd : client-2.example.com : deny
hosts.allow or hosts.deny. Some administrators consider this an easier way of organizing access rules.Shell Commands
spawn - Launches a shell command as a child process. This directive can perform tasks like using /usr/sbin/safe_finger to get more information about the requesting client or create special log files using the echo command.example.com domain are quietly logged to a special file:
in.telnetd : .example.com \
: spawn /bin/echo `/bin/date` from %h>>/var/log/telnet.log \
: allow
twist - Replaces the requested service with the specified command. This directive is often used to set up traps for intruders (also called "honey pots"). It can also be used to send messages to connecting clients. The twist directive must occur at the end of the rule line.
example.com domain are sent a message using the echo command:
vsftpd : .example.com \
: twist /bin/echo "421 This domain has been black-listed. Access denied!"
hosts_options man page.Expansions
spawn and twist directives, provide information about the client, server, and processes involved.
%a - Returns the client's IP address.
%A - Returns the server's IP address.
%c - Returns a variety of client information, such as the username and hostname, or the username and IP address.
%d - Returns the daemon process name.
%h - Returns the client's hostname (or IP address, if the hostname is unavailable).
%H - Returns the server's hostname (or IP address, if the hostname is unavailable).
%n - Returns the client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N - Returns the server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p - Returns the daemon's process ID.
%s -Returns various types of server information, such as the daemon process and the host or IP address of the server.
%u - Returns the client's username. If unavailable, unknown is printed.spawn command to identify the client host in a customized log file.
sshd) are attempted from a host in the example.com domain, execute the echo command to log the attempt, including the client hostname (by using the %h expansion), to a special file:
sshd : .example.com \
: spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \
: deny
example.com domain are informed that they have been banned from the server:
vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"
hosts_access (man 5 hosts_access) and the man page for hosts_options.