Linux hosts.allow and hosts.deny To Control Network Access
Linux have different type of perimeters to restrict and control network access.
hosts.deny files are one way of those. The TCP wrapper, ssh, ftp applications generally use rules provided in this configuration files. We will look different usage types and examples for
hosts.deny files in this tutorial
These rules describes simple access control language based client host name, address, user name and server process name, host name and address patterns.
As we know rules are inserted info files. Here is the rule syntax
$ man hosts.allow
While using rules in files
hosts.deny there are some precedence. The following flow is executed.
- If match allow and exit
- If match deny if not allow
To allow applications, hosts to use servers services
Allow rules are used. These Allow rules are placed into
hosts.allow file. In the example we allow all hosts in the
192.168.0.0/16 to use servers all ports and services.
To deny hosts and applications we will use
Deny rules. Deny rules are places into
hosts.deny . In the example we will deny all hosts to connect and use servers services. But keep in mind in the previous example we have allowed some networks and other than these networks will not be able to use servers services.
In the time there will be a lot of rules in the hosts files. They may become unmanageable if we do not put some notes or comments about the rules. Comments can be put with
# sign. In the example we write some note about rules
# Home users
#Delete this 30.03.2017
While using rules about Allow and Deny these actions may need to logged. Logs will be generated with spawn mechanism. Spawn is use to create new process if specified rule matched. In the example we will generate a log which contain current date if a host from 172.16.0.0/24 tries to access vsftpd service.
vsftpd:172.16. :spawn /bin/echo '/bin/date' access denied >> /var/log/vsftpd:deny
Define Multiple Hosts
There is also support for multiple hosts. We can define multiple hosts by separating them with commas. In the example we will define 2 host names, 1 IP address and 1 network.
ALL: dns.poftut.com, mail.poftut.com, 22.214.171.124, 10.5.
mail.poftut.comare host names
126.96.36.199is a single IP address
10.5.specifies network 10.5.0.0/16 in CIDR presentation
We can define
NOT logic in rules. Generally IP address or network ranges are used with this logic. We put
ALL EXCEPT as a prefix to the related IP address or network range to exclude. In this example we will define all hosts except
ALL: ALL EXCEPT 10.