TCP wrappers restrict access to localhost, specific hostnames or IP addresses and are commonly used, for example, for FTP and POP.
Take the example of SSH which we use to tunnel into the server. Ideally you'd set up authentication keys to secure the port, as wpCop did in Setup SSH for Secure Server Login, but sometimes that's just not practicable. Adding a simple directive to a couple of files, though, the TCP wrapper takes immediate effect to deny all bar a chosen few.
Open up the deny file:
Add a line:
Now open up the allow file:
And add a line:
Following the colon in the allow file is the IP we want authorized. You can add a series of IPs, comma or space-separated, else use an IP subnet or hostnames.
Before the colon is the name of the daemon to which we want to restrict access, in this case the SSH daemon, sshd, that was reported in the netstat record (in Disable Daemons & Close Server Ports):
And that's it. Simple as that. (This is all getting far too easy.)
On a related note, let's spend a moment to Harden TCP-IP with a Stockier Network Stack. You'll be pleased to hear that this involves little more than a bit of copy-paste.