The /etc/hosts.allow and /etc/hosts.deny files are commonly used with SSH and TCP Wrappers.
To control hosts that are allowed or denied access to communicate with deamons on a Linux server, you will modify the /etc/hosts.allow and /etc/hosts.deny files on the server. Lines in these files use the following syntax:
deamon : clients
To allow clients in the subnet access to ALL deamons
One way to allow any PCs in the same subnet as the Linux machine to communicate with every deamon on the Linux server, add ALL: LOCAL to the /etc/hosts.allow file,
One problem with the LOCAL option is that hosts that have a period in the hostname, such as example.hostname, will not be allowed. Due to this issue, there are other ways to allow clients in the subnet. One method is to use the IP address and prefix of the LAN. When using the IP address and prefix of the LAN, hosts with a period in the hostname will be allowed. For example, to allow all hosts in the 192.168.0.0/24 subnet:
This could also be accomplished with the following:
To allow clients in the domain to ALL deamons
To allow access to ALL deamons on the Linux server from computers that are members of the example.com domain, use the domain name. A single period must precede the domain name.
To allow access to certain deamons
If there are only certain deamons you want to grant access to, you would list the deamons in the first field. For example, to allow access to only the FTP deamon from all computers that are members of the example.com domain:
To deny all
ALL: ALL in the /etc/hosts.deny file will deny all clients access to all daemons on the server. It is important to recognize that the /etc/host.allow is checked before /etc/host.deny. If ALL: ALL is used in /etc/hosts.deny, it is important that /etc/hosts.allow has an entry to allow access. If /etc/hosts.allow has not records, and /etc/host.deny has ALL: ALL, no users would be able to connect to the server.
For servers that only need to server a few clients, the /etc/hosts.deny file can be configured with an exception list. In this example, ALL are denied except for 192.168.0.2.
ALL: ALL EXCEPT 192.168.0.2
You could also use a hostname instead of an IP address. When using a hostname, your DNS server's reverse lookup will need to be able to resolve www.example.com to an IP address (thanks Jim Lebeau - see comments below).
ALL: ALL EXCEPT www.example.com
Add a Comment
November 5th, 2018 by Jim Lebeau
November 6th, 2018 by Jeremy (moderator)