Tcp wrappers add an additional layer of security. Tcp Wrappers use two files namely : /etc/hosts.allow and /etc/hosts.deny
hosts.allow file has precedence over hosts.deny . So it is a better idea to allow selectively in hosts.allow file and then deny all in the hosts.deny file.
sshd: ALL ( denys all hosts )
The log is available in authpriv file :