Understanding the /etc/hosts.allow and /etc/hosts.deny files in Linux

Home > Search
  by

The /etc/hosts.allow and /etc/hosts.deny files are commonly used with SSH and TCP Wrappers.

To control hosts that are allowed or denied access to communicate with deamons on a Linux server, you will modify the /etc/hosts.allow and /etc/hosts.deny files on the server. Lines in these files use the following syntax:

deamon : clients

 


To allow clients in the subnet access to ALL deamons

One way to allow any PCs in the same subnet as the Linux machine to communicate with every deamon on the Linux server, add ALL: LOCAL to the /etc/hosts.allow file,

ALL: LOCAL

 

One problem with the LOCAL option is that hosts that have a period in the hostname, such as example.hostname, will not be allowed. Due to this issue, there are other ways to allow clients in the subnet. One method is to use the IP address and prefix of the LAN. When using the IP address and prefix of the LAN, hosts with a period in the hostname will be allowed. For example, to allow all hosts in the 192.168.0.0/24 subnet:

ALL: 192.168.0.0/24

 

This could also be accomplished with the following:

ALL: 192.168.0.

 


To allow clients in the domain to ALL deamons

To allow access to ALL deamons on the Linux server from computers that are members of the example.com domain, use the domain name. A single period must precede the domain name.

ALL: .example.com

 


To allow access to certain deamons

If there are only certain deamons you want to grant access to, you would list the deamons in the first field. For example, to allow access to only the FTP deamon from all computers that are members of the example.com domain:

in.ftpd: .example.com

 


To deny all

ALL: ALL in the /etc/hosts.deny file will deny all clients access to all daemons on the server. It is important to recognize that the /etc/host.allow is checked before /etc/host.deny. If ALL: ALL is used in /etc/hosts.deny, it is important that /etc/hosts.allow has an entry to allow access. If /etc/hosts.allow has not records, and /etc/host.deny has ALL: ALL, no users would be able to connect to the server.

ALL: ALL

 


EXCEPT

For servers that only need to server a few clients, the /etc/hosts.deny file can be configured with an exception list. In this example, ALL are denied except for 192.168.0.2.

ALL: ALL EXCEPT 192.168.0.2

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments