0 - Understanding the /etc/hosts.allow and /etc/hosts.deny files in Linux

The /etc/hosts.allow and /etc/hosts.deny files are commonly used with SSH and TCP Wrappers.

To control hosts that are allowed or denied access to communicate with deamons on a Linux server, you will modify the /etc/hosts.allow and /etc/hosts.deny files on the server. Lines in these files use the following syntax:

deamon : clients


To allow clients in the subnet access to ALL deamons

One way to allow any PCs in the same subnet as the Linux machine to communicate with every deamon on the Linux server, add ALL: LOCAL to the /etc/hosts.allow file,



One problem with the LOCAL option is that hosts that have a period in the hostname, such as example.hostname, will not be allowed. Due to this issue, there are other ways to allow clients in the subnet. One method is to use the IP address and prefix of the LAN. When using the IP address and prefix of the LAN, hosts with a period in the hostname will be allowed. For example, to allow all hosts in the subnet:



This could also be accomplished with the following:

ALL: 192.168.0.


To allow clients in the domain to ALL deamons

To allow access to ALL deamons on the Linux server from computers that are members of the example.com domain, use the domain name. A single period must precede the domain name.

ALL: .example.com


To allow access to certain deamons

If there are only certain deamons you want to grant access to, you would list the deamons in the first field. For example, to allow access to only the FTP deamon from all computers that are members of the example.com domain:

in.ftpd: .example.com


To deny all

ALL: ALL in the /etc/hosts.deny file will deny all clients access to all daemons on the server. It is important to recognize that the /etc/host.allow is checked before /etc/host.deny. If ALL: ALL is used in /etc/hosts.deny, it is important that /etc/hosts.allow has an entry to allow access. If /etc/hosts.allow has not records, and /etc/host.deny has ALL: ALL, no users would be able to connect to the server.




For servers that only need to server a few clients, the /etc/hosts.deny file can be configured with an exception list. In this example, ALL are denied except for



You could also use a hostname instead of an IP address. When using a hostname, your DNS server's reverse lookup will need to be able to resolve www.example.com to an IP address (thanks Jim Lebeau - see comments below).

ALL: ALL EXCEPT www.example.com


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 15a15 in the box below so that we can be sure you are a human.


November 5th, 2018 by Jim Lebeau
ALL: ALL EXCEPT server.yourdomain.net will not work unless the reverse DNS of your IP address is server.yourdomain.net and not bleeblah.sbc.net

November 6th, 2018 by Jeremy (moderator)
Thanks for sharing this Jim. I've updated this article to include what you have shared.

March 8th, 2019 by Jonesy
ALL: I do not believe CIDR notation can be used in /etc/hosts.allow/ Use ALL: 192.168.0. instead. Note the trailing blank. Too, /etc/hosts.deny is deprecated. It _ALL_ goes in /etc/hosts.allow now.

March 8th, 2019 by Jeremy (moderator)
I'm pretty sure both ALL: and ALL: 192.168.0. are valid. I've been using ALL: in my LAN for years and it seems to work without issue.

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |