The TCP wrapper was designed and implemented by
Wietse Venema during a massive assault on
TU Eindhoven's Unix systems. A
hacker was loose on various systems at the university, and the systems didn't really support access control or logging of his activities.
The wrapper, tcpd, can be used with any service that is started from inetd in nowait mode. The service is a program called by inetd; instead of calling the program directly, inetd is made to call tcpd, handing the actual program call as arguments. tcpd performs logging and access control as specified in the /etc/hosts.allow and/or /etc/hosts.deny configuration files, and then, if allowed, proceeds to call the real service.
The access control and logging functionality is a separate library, libwrap; some standalone daemons such as ssh can be compiled with libwrap to have the same functionality as tcpd-wrapped services; others, such as Apache, implement their own logging and access control instead, which is rather a waste of effort and trivia space in the brain.
The TCP wrappers package also comes with several daemons that have compiled-in support for tcpwrap access control and logging, and it provides a second type of access control for login(1)-based services. The configuration file for this is /etc/login.access. You have to replace
the system's /bin/login with the one from this package in order for this to work.
A PAM module implementation for the TCP wrapper functionality is known, but not widely tested or used; this would make it more universally applicable.