Tcp wrappers provides the following advantages against network services

Almost every application of the TCP/IP protocols is based on a client-
server model. for example telnet, ftp, ssh, etc..

TCP wrappers is used to allow/grant or deny access to the various services on your maschine from remote client/ or to the outside network or other machines on the same network. it does this by using two files called:

The TCP wrappers package (tcp_wrappers ) is installed by default and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library. In general terms, a TCP wrapped service is one that has been compiled against the libwrap.a library.

When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client host is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting host and the requested service to /var/log/secure or /var/log/messages .

- Rules define in hosts.allow takes precedence over rules in hosts.deny .
- You can have only one rule per service in hosts.allow and hosts.deny file.
- If there are no matching rules in either of the files or if the files don't exist, then the remote machine is allowed access to the service.
- Any changes to hosts.allow and hosts.deny file takes immediate effect.

Some of the example of it:

syntax of host access file: <daemon list>: <client list> [: <option>: <option>: ...]

The following wildcards may be used:

ALL — Matches everything. It can be used for both the daemon list and the client list.
LOCAL — Matches any host that does not contain a period (.), such as localhost.
KNOWN — Matches any host where the hostname and host address are known or where the user is known.
UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID — Matches any host where the hostname does not match the host address.

vsftpd :
This rule instructs TCP wrappers to watch for connections to the FTP daemon (vsftpd) from any host in the domain. If this rule appears in hosts.allow, the connection will be accepted. If this rule appears in hosts.deny, the connection will be rejected

Matches all hosts in the domain . Note the dot (.) at the beginning.
ALL : 123.12.
Matches all the hosts in the network. Note the dot (.) in the end of the rule.
IP address/Netmask can be used in the rule

sshd : : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny
Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.
To determine if a network service binary is linked against libwrap.a, type the following command as the root user:

strings -f <binary-name> | grep hosts_access

# strings /usr/sbin/sendmail | grep hosts_access

Replacing <binary-name> with the name of the network service binary. If a prompt is returned, then the network service is not linked against libwrap.a .