TCP Wrapper
TCP Wrapper is a library which provides simple access control and standardized logging for supported applications which accept connections over a network. Historically, TCP Wrapper was used to support inetd services.
TCP Wrapper supports only services which were built to make use of the libwrap library. To determine whether a given executable daemon /path/to/daemon supports TCP Wrapper, check the documentation, or run:
$ ldd /path/to/daemon | grep libwrap.so
If this command returns any output, then the daemon probably supports TCP Wrapper. An alternative to TCP Wrapper support is packet filtering using iptables. Note that iptables works at the network level, while TCP Wrapper works at the application level. This means that iptables filtering is more efficient and more resistant to flaws in the software being protected, but TCP Wrapper provides support for logging, banners, and other application-level tricks which iptables cannot provide.
Park Wrapper Error
When trying to add an addon domain, or parked domain, you might run across a ‘Park Wrapper Error’. Here are some common errors, and how to fix them:
Error from park wrapper: domainname.com is already configured.
This means that a DNS Zone File already exists for this domain. If you have WHM, simply go to Delete a DNS Zone and remove the domain name you are trying to add.
Error from park wrapper: Using nameservers with the following IPs…. Sorry, the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server.
This means you still need to point the domain name to the server before you can add it.
Error from park wrapper: Unable to find out which user owns the parked domain
To solve this error message (usually received when attempting to remove a parked domain name), simply try adding the domain name to the Addon Domains section of cPanel. It will error out. After you receive the error message, go into the Parked Domains section of cPanel and remove the domain name.
Error from park wrapper: domainname.com is owned by another user
This means the domain name is already setup with hosting on your server, under a different user’s account.
Examples that show some features of TCP wrapper
If you just want to restrict ssh connections without configuring or using /etc/hosts.deny, you can add the following entries to /etc/hosts.allow:
sshd: station1 station2 station3
sshd: ALL: DENY
The version of TCP wrapper that comes with Red Hat also supports the extended options documented in the hosts_options(5)man page. Here is an example how an additional program can be spawned in e.g. the /etc/hosts.allow file:
sshd: ALL : spawn echo “Login from %c to %s” | mail -s “Login Info for %s” log@loghost
For information on the % expansions, see “man 5 hosts_access”.
The TCP wrapper is quite flexible.
And xinetd provides its own set of host-based and time-based access control functions. You can even tell xinetd to limit the rate of incoming connections.
The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions. You can even tell xinetd to limit the rate of incoming connections.
