Linux hosts.allow and hosts.deny To Control Network Access – POFTUT

Linux hosts.allow and hosts.deny To Control Network Access

Linux have different type of perimeters to restrict and control network access. hosts.allow and hosts.deny files are one way of those. The TCP wrapper, ssh, ftp applications generally use rules provided in this configuration files. We will look different usage types and examples for hosts.allow and hosts.deny files in this tutorial

These rules describes simple access control language based client host name, address, user name and server process name, host name and address patterns.


As we know rules are inserted info files. Here is the rule syntax



$ man hosts.allow

Work Precedence

While using rules in files host.allow and hosts.deny there are some precedence. The following flow is executed.

  1. Look hosts.allow
  2. If match allow and exit
  3. Look hosts.deny
  4. If match deny if not allow


To allow applications, hosts to use servers services Allow rules are used. These Allow rules are placed into hosts.allow file. In the example we allow all hosts in the to use servers all ports and services.

ALL: 192.168.


To deny hosts and applications we will use Deny rules. Deny rules are places into hosts.deny . In the example we will deny all hosts to connect and use servers services. But keep in mind in the previous example we have allowed some networks and other than these networks will not be able to use servers services.



In the time there will be a lot of rules in the hosts files. They may become unmanageable if we do not put some notes or comments about the rules. Comments can be put with # sign. In the example we write some note about rules

# Home users
ALL: 192.168.

#Delete this 30.03.2017


While using rules about Allow and Deny these actions may need to logged. Logs will be generated with spawn mechanism. Spawn is use to create new process if specified rule matched. In the example we will generate a log which contain current date if a host from tries to access vsftpd service.

vsftpd:172.16. :spawn /bin/echo '/bin/date' access denied >> /var/log/vsftpd:deny

Define Multiple Hosts

There is also support for multiple hosts. We can define multiple hosts by separating them with commas. In the example we will define 2 host names, 1 IP address and 1 network.

ALL:,,, 10.5.
  •, are host names
  • is a single IP address
  • 10.5. specifies network in CIDR presentation
LEARN MORE  Router vs Modem What Is Different and What Is The Same?

Except Definition

We can define NOT logic in rules. Generally IP address or network ranges are used with this logic. We put ALL EXCEPT as a prefix to the related IP address or network range to exclude. In this example we will define all hosts except


Leave a Comment