tcpd

tcpd program [argument ...]
While tcpd is a command, it is rarely executed directly by users. Its primary use is as an intermediary process, configured within network superserver configurations (like inetd.conf or xinetd service definitions), to wrap and protect actual service daemons.

program
    The full path to the actual network service daemon executable that tcpd will wrap and potentially execute.

[argument ...]
    Optional arguments that will be passed directly to the program once tcpd permits the connection and executes the service daemon.

tcpd is a network service wrapper that enhances the security of services typically invoked by superservers like inetd or xinetd. When a service is configured to use tcpd, tcpd intercepts incoming connection requests. It then consults two access control files, /etc/hosts.allow and /etc/hosts.deny, to determine whether the connection should be permitted or denied. If the connection is allowed, tcpd executes the actual service daemon; otherwise, it terminates the connection. All access attempts, whether granted or denied, are logged to the system's syslog facility. This centralized mechanism provides granular control over which hosts can access specific services and offers valuable auditing capabilities, making it an essential component for host-based access control.

tcpd relies entirely on its configuration files (/etc/hosts.allow and /etc/hosts.deny); misconfigurations can lead to unintended access or denial of service.
It only protects services explicitly configured to use it, typically those invoked by superservers like inetd or xinetd, and does not provide protection for standalone daemons.
While still valuable, modern Linux systems often use more comprehensive firewall solutions (e.g., firewalld, nftables) for network-wide access control, complementing or sometimes superseding TCP Wrappers for primary filtering.

The behavior of tcpd is governed by two files: /etc/hosts.allow and /etc/hosts.deny. These files contain rules in the format daemon_list : client_list [ : option ]. tcpd first checks hosts.allow; if a match is found, access is granted. If no match is found, it then checks hosts.deny; if a match is found, access is denied. If no match is found in either file, access is typically granted by default, though this can vary by system configuration.
The daemon_list specifies which services the rule applies to, and client_list specifies which hosts or networks are affected.

A key feature of tcpd is its comprehensive logging. Every connection attempt, whether permitted or denied, is logged via the syslog facility, usually to the auth.info or daemon.info log level. This provides administrators with an auditable trail of who attempted to access services, from where, and whether the attempt was successful, which is invaluable for security monitoring and incident response.

tcpd, also known as TCP Wrappers, was developed by Wietse Venema in the early 1990s as a robust and flexible host-based access control system for network services. It rapidly gained widespread adoption across Unix-like operating systems due to its simplicity, effectiveness, and the ability to add a layer of security without modifying the service binaries themselves. It became a de-facto standard for enhancing the security of services, particularly in conjunction with the inetd superserver, and played a significant role in early internet security practices before the proliferation of dedicated firewall technologies.

inetd(8), xinetd(8), hosts.allow(5), hosts.deny(5), syslogd(8)