To restrict who has access to which service, TCP wrappers are used to control which system has access to which service.
An access control file /etc/hosts.allow (or /etc/hosts.deny) contains a list of services, and a list of hosts/domains allowed (or denied) access to those services. Only hosts (and services) listed in /etc/hosts.allow are allowed execution by remote and local systems. A typical last line in the access crontrol file is
ALL : ALL : severity auth.crit : denywhich would deny access to all services/systems not mentioned prior to it.
/etc/hosts.deny would also typically have that same last line.
This allows us to greatly enhance our control on who has access to which service on which system.