Bootstrap FreeKB - Linux Fundamentals - Understanding the /etc/hosts.allow and /etc/hosts.deny files
Linux Fundamentals - Understanding the /etc/hosts.allow and /etc/hosts.deny files
Updated:   |  Linux Fundamentals articles

The /etc/hosts.allow and /etc/hosts.deny files are commonly used with SSH and TCP Wrappers.

To control hosts that are allowed or denied access to communicate with deamons on a Linux server, you will modify the /etc/hosts.allow and /etc/hosts.deny files on the server. Lines in these files use the following syntax:

deamon : clients

 

To allow clients in the subnet access to ALL deamons

One way to allow any PCs in the same subnet as the Linux machine to communicate with every deamon on the Linux server, add ALL: LOCAL to the /etc/hosts.allow file,

ALL: LOCAL

 

One problem with the LOCAL option is that hosts that have a period in the hostname, such as example.hostname, will not be allowed. Due to this issue, there are other ways to allow clients in the subnet. One method is to use the IP address and prefix of the LAN. When using the IP address and prefix of the LAN, hosts with a period in the hostname will be allowed. For example, to allow all hosts in the 192.168.0.0/24 subnet:

ALL: 192.168.0.0/24

 

This could also be accomplished with the following:

ALL: 192.168.0.

 

To allow clients in the domain to ALL deamons

To allow access to ALL deamons on the Linux server from computers that are members of the example.com domain, use the domain name. A single period must precede the domain name.

ALL: .example.com

 

To allow access to certain deamons

If there are only certain deamons you want to grant access to, you would list the deamons in the first field. For example, to allow access to only the FTP deamon from all computers that are members of the example.com domain:

in.ftpd: .example.com

 

To deny all

ALL: ALL in the /etc/hosts.deny file will deny all clients access to all daemons on the server. It is important to recognize that the /etc/host.allow is checked before /etc/host.deny. If ALL: ALL is used in /etc/hosts.deny, it is important that /etc/hosts.allow has an entry to allow access. If /etc/hosts.allow has not records, and /etc/host.deny has ALL: ALL, no users would be able to connect to the server.

ALL: ALL

 

EXCEPT

For servers that only need to server a few clients, the /etc/hosts.deny file can be configured with an exception list. In this example, ALL are denied except for 192.168.0.2.

ALL: ALL EXCEPT 192.168.0.2

 

You could also use a hostname instead of an IP address. When using a hostname, your DNS server's reverse lookup will need to be able to resolve www.example.com to an IP address (thanks Jim Lebeau - see comments below).

ALL: ALL EXCEPT www.example.com

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


November 05 2018 by Jim Lebeau
ALL: ALL EXCEPT server.yourdomain.net will not work unless the reverse DNS of your IP address is server.yourdomain.net and not bleeblah.sbc.net

November 06 2018 by Jeremy (moderator)
Thanks for sharing this Jim. I've updated this article to include what you have shared.

March 08 2019 by Jonesy
ALL: 192.168.0.0/24 I do not believe CIDR notation can be used in /etc/hosts.allow/ Use ALL: 192.168.0. instead. Note the trailing blank. Too, /etc/hosts.deny is deprecated. It _ALL_ goes in /etc/hosts.allow now.

March 08 2019 by Jeremy (moderator)
I'm pretty sure both ALL: 192.168.0.0/24 and ALL: 192.168.0. are valid. I've been using ALL: 192.168.0.0/24 in my LAN for years and it seems to work without issue.

Add a Comment


Please enter e22e4b in the box below so that we can be sure you are a human.