Home

hostsdeny

hosts.deny is a configuration file used by TCP wrappers (libwrap) on Unix-like systems to control access to services that opt into TCP wrappers. It works in conjunction with the complementary file hosts.allow. Together, these files provide per-service access control by evaluating rules when a client attempts a connection to a wrapped service.

How it works: When a connection request arrives for a wrapped service, the system first checks hosts.allow

Format and syntax: Each line in hosts.deny defines a rule with two lists separated by a colon:

Limitations and notes: TCP wrappers and the hosts.allow/hosts.deny mechanism are considered legacy in many environments. Some

Location: The common locations are /etc/hosts.allow and /etc/hosts.deny. See also TCP wrappers and libwrap.

for
a
matching
rule.
If
a
match
is
found,
access
is
permitted.
If
not,
the
system
then
checks
hosts.deny.
A
matching
rule
there
denies
access.
If
neither
file
contains
a
matching
rule,
the
default
behavior
is
to
allow
the
connection.
In
practice,
administrators
often
place
broad
deny
rules
in
hosts.deny
(for
example,
ALL:
ALL)
and
then
create
specific
allow
rules
in
hosts.allow
to
permit
trusted
hosts
or
networks.
a
daemon
(service)
list
and
a
client
(host)
list.
The
daemon
list
can
name
a
single
service
or
ALL,
and
the
client
list
can
include
hostnames,
IP
addresses,
networks
(including
CIDR
notation),
or
ALL.
Lines
beginning
with
a
hash
(#)
are
comments.
The
file
is
designed
to
be
simple
and
human-readable,
but
it
only
affects
services
compiled
with
TCP
wrappers,
and
not
all
modern
daemons
support
libwrap.
services
disable
libwrap
or
rely
on
more
advanced
access
controls.
For
comprehensive
security,
administrators
often
layer
this
with
firewalls
and
other
authentication
mechanisms
while
using
hosts.deny
as
an
additional,
service-specific
filter.