In daily Linux system administration, we often need to control which hosts can access our services. Today, we will provide a detailed introduction to two powerful access control files: <span>hosts.allow</span> and <span>hosts.deny</span>, to enhance system security.
1. Introduction to hosts.allow and hosts.deny Files
These two files are configuration files for TCP Wrappers, used to control network service access permissions based on hostname or IP address. They act like the system’s “doorman”, deciding who can enter and who is turned away.
1.1 Working Principle
Their working principle is allow first, deny later
- First, check hosts.allow; if matched, access is allowed
- Then check hosts.deny; if matched, access is denied
- If neither matches, access is allowed by default
1.2 Configuration File Location and Syntax
The configuration file paths are usually located in the /etc/ directory:
# File paths
/etc/hosts.allow
/etc/hosts.deny
The basic syntax is as follows:
service_list : client_list [: options]
1.3 Representation of Client List
| Type | Example | Description |
|---|---|---|
| Single IP | <span>192.168.1.100</span> |
Matches a specific IP address. |
| IP Range | <span>192.168.1.</span> |
Matches the entire Class C range from <span>192.168.1.0</span> to <span>192.168.1.255</span>. |
| Domain Name | <span>.example.com</span> |
Matches all hosts belonging to the <span>example.com</span> domain (note the preceding dot). |
| Network/Mask | <span>192.168.1.0/255.255.255.0</span> |
Specifies a network segment precisely using a subnet mask, equivalent to IP range. |
| Special Keywords | <span>ALL</span> (all) <span>LOCAL</span> (local host) <span>KNOWN</span> (known hosts), etc. |
Uses predefined keywords for batch matching, very convenient. |
2. Practical Configuration Examples
2.1 SSH Access Control
Scenario: Only allow specific IPs to access SSH, deny all others
# Edit hosts.allow
echo "sshd : 192.168.1.100, 192.168.1.200" >> /etc/hosts.allow
# Edit hosts.deny
echo "sshd : ALL" >> /etc/hosts.deny
With this configuration, only <span>192.168.1.100</span> and <span>192.168.1.200</span> can connect to the server via SSH.
2.2 Samba Share Access Control
Scenario: Allow internal network access to shares, deny external network
# hosts.allow configuration
echo "smbd : 192.168.1., 10.0.0." >> /etc/hosts.allow
echo "nmbd : 192.168.1., 10.0.0." >> /etc/hosts.allow
# hosts.deny configuration
echo "smbd : ALL" >> /etc/hosts.deny
echo "nmbd : ALL" >> /etc/hosts.deny
3. Comprehensive Security Configuration
A more refined control scheme is as follows:
# /etc/hosts.allow content
sshd : 192.168.1.100, .example.com
vsftpd : 192.168.1.
smbd : 192.168.1. EXCEPT 192.168.1.50
# /etc/hosts.deny content
ALL : ALL
This configuration indicates:
- SSH only allows
<span>192.168.1.100</span>and hosts from the<span>example.com</span>domain- FTP allows the
<span>192.168.1.x</span>network segment- Samba allows the
<span>192.168.1.x</span>network segment but excludes<span>192.168.1.50</span>- All other services deny all access
4. Advanced Usage
4.1 Using Options to Execute Actions
Add the following content to the <span>hosts.allow</span> file (specific rules should be placed first):
# Log and send email alerts
sshd : 192.168.1.100 : spawn /bin/echo "SSH login from %h" | mail -s "SSH Access Alert" [email protected]
# Show custom message on denial
sshd : 192.168.2. : deny : twist /bin/echo "Sorry, your IP is not allowed to access the SSH service"
4.2 Time Limit Control
# Allow access only during working hours
sshd : 192.168.1. : allow : between 9:00-17:00
To view logs, you can execute <span>tail -f /var/log/secure</span>.
5. Considerations
1) Not all services support TCP Wrappers
TCP Wrappers is not a standalone service but a library file (<span>libwrap.so</span>). Any network service that wants to support access control via <span>hosts.allow</span>/<span>hosts.deny</span> must link this library at compile time. Use the <span>ldd</span> command to check if a service supports it:
ldd /usr/sbin/sshd | grep libwrap
For example, if the output is as follows, it indicates that the SSH service supports TCP Wrappers, and access control can be implemented using <span>hosts.allow</span> and <span>hosts.deny</span> files.
[root@myoracledb ~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f927c49e000)
[root@myoracledb ~]#
2) Configuration takes effect immediately
Changes take effect immediately without needing to restart the service
3) Priority Issues
If the service itself has access control (such as SSH’s AllowUsers), it may override the settings of TCP Wrappers.
6. Conclusion
<span>hosts.allow</span> and <span>hosts.deny</span> are the first line of defense for Linux system security, with simple configuration yet significant effects. Through reasonable configuration, we can:
✅ Prevent unauthorized hosts from accessing
✅ Reduce the risk of brute force attacks
✅ Achieve fine-grained access control
✅ Record access logs for auditing
