How to find out if a daemon was build with TCP Wrappers support (hosts.allow/hosts.deny)

Most of the time we will protect our servers with firewall rules, but in some situations this might not be applicable (like in a VPS environment where we don’t have access to iptables). TCP wrappers (Wietse Venema’s TCP wrappers library) can be used in such cases to allow or deny access based on the configured rules in /etc/hosts.allow and /etc/hosts.deny. Most of the daemons that we might consider protecting this way will probably have build-in support for TCP Wrappers (ssh, ftp, xintetd, etc.), but how can we be sure? We might be writing the correct lines in hosts.allow/deny but we can’t see any results. In this little post I will show how we can verify if any daemon has been build with TCP Wrappers support.

To verify if any program includes TCP Wrappers support we can run the following commands (the following example is used on the ssh daemon):

ldd /usr/sbin/sshd |grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0x0ffd6000)

or:

strings /usr/sbin/sshd | egrep "hosts.deny|hosts.allow|libwrap"
libwrap.so.0
libwrap refuse returns

If we see in the result the libwrap library, then it means that the daemon was build with TCP Wrappers support.

Here is another example of a daemon (smbd) that has NO TCP Wrappers support:

ldd /usr/sbin/smbd |grep libwrap

There is no result returned to our command.

Be careful that you might encounter outputs like this:

strings /usr/sbin/smbd | egrep "hosts.deny|hosts.allow|libwrap"
hosts allow
hosts deny
access DENIED (hosts allow/deny) for printer open

This is not referring to /etc/hosts.allow, /etc/hosts.deny, but to the internal Samba mechanism (hosts allow and hosts deny directives from smb.conf).