During teaching of a class this week, one of my students noticed that the vsftpd service was being denied by his TCP Wrapper rules in /etc/hosts.allow and /etc/hosts.deny, but that nothing was being logged into /var/log/messages. He then asked me if there was still a way for the TCP Wrapper to start a process as an option. I told him about both the spawn and twist options, and referred him the to the hosts_access and hosts_options man pages. After both of us experimenting a little bit, we came up with the solution that all allow rules should be in /etc/hosts.allow and that /etc/hosts.deny should look something like this:
ALL:ALL:spawn (logger TCP wrapper in /etc/hosts.deny denied %c access to %d)
With this rule, anything that gets denied will be logged by spawn starting the logger process in a subshell (thus the parentheses) and that it would report the client (%c) who was attempting to connect to the daemon (%d). Now, anytime a denial is suspected, the /var/log/messages file can be checked for a 'TCP Wrapper' message.