I really hate to post this because it sounds like such a newbish question, but I'm really tired right now and obviously can't figure this out in my current state.

I'm running LE 2005 as a LAMP server. I thought with TCP wrappers, and finally got around to setting up hosts.allow and hosts.deny tonight. Problem is hosts.deny simply doesn't work. Regardless of what I try to lock out, I can still get to it. I have shorewall locking out services that I really don't want accessed, but I want TCP Wrappers behind it holding the door just in case.

hosts.allow
sshd: 192.168.1.0/255.255.255.0
httpd: 192.168.1.0/255.255.255.0

hosts.deny
ALL: ALL except localhost

Coupled with Shorewall should ensure that no one outside my network should be able to access those two services (this is an intranet server). I played around with denying myself from my workstation and I can still access both sshd and httpd. Which tells me that I obviously do not have tcp wrappers working.

I look in xinetd.d and the only file I find there is sshd-xinetd, which actually has access to ssh disabled. Not the case since I'm on SSH with my server right now.

So I'm scratching my head here and the search function on the forum is a bit broad. Getting all kinds of hits on posts that don't have much to do with my problem. Can someone point me in the right direction here?

Chances are, SSH is being run from outside of xinetd. Same more than likely goes for your HTTPD server. These are normally run from outside of xinetd because xinetd is used primarily for services that are run infrequently. If you FTP to your box once in a blue moon, then this is a good choice for a service to run under xinet. Services that continually run on a server (such as HTTPD) generally do not run under xinet as each time a connection is attempted, the service would have to be started (possibly, depending on how it is set up for xinet), which takes time and extra CPU cycles and all.

I know that when I installed OpenSSH on our Solaris boxes, all I had to do to get them to check the hosts.allow file was to throw a switch when I was compiling it. When we used to run telnet, we had to specify TCP Wrappers in our inet settings for telnet to check hosts.allow.

I'm not really sure how to set up TCP Wrappers for SSH or HTTPD, but hopefully you can see why things aren't working as you'd thought. Should give you something to look at at least.