Open Source Software and Linux

Nov 3 2008   5:00PM GMT

Using hosts.allow and hosts.deny aka tcpwrappers effectively

John Little Profile: Xjlittle

The hosts.allow and hosts.deny files located under the /etc directory are collectively known as tcpwrappers. tcpwrappers along with iptables is an effective solution to protecting your network and individual servers.

The hosts.allow and hosts.deny files have some fairly simple syntax rules to follow. They both accept the keywords or wildcards of ALL and EXCEPT. Each of these files contains two or more colon separated fields. The first field contains a comma delimited list of executable names. Note that these must be the executable name not the service name and can contain the wildcards previously mentioned.

The second field contains comma separated lists of client specifications using IP addresses, hostnames, trailing dot networks, leading dot domains and network/netmask pairs. This field can also use the wildcards ALL and EXCEPT.

Executables that can be used in tcpwrappers use the shared object library Determining if the application is “eligible” to work with tcpwrappers means that we must find out if it contains the library. To do so issue a command like the following:

[root@centos5-dev ~]# strings `which sshd` |grep
[root@centos5-dev ~]#

Here we can see that sshd contains the library. This means that we can use tcpwrappers to control access to the secure shell daemon.

Now we need to make sure that we have the proper executable name. Generally speaking this will be the name of the executable unless it is a daemon run out of xinetd. In that case you must look in the service file under the /etc/xinetd,d directory. For instance I have telnet setup to run under xinetd.d and the binary name located in /etc/xinetd.d/telnet is in.telnetd. This would be the service name that you would use in tcpwrappers.

tcpwrappers first checks the hosts.allow and then the hosts.deny files. tcpwrappers implements a stop on first match policy. Therefore if you have in.telnetd in the hosts.allow then the machine will allow a telnet connection. If it doesn’t find a reference in either of the tcpwrappers files then it will allow the connection. This is known as “by fault of omission” meaning that the connection request meets no rule restrictions. Note that changes made in either of the tcpwrappers files are effective immediately on any new connections.

Once you have all of the allowed connections that you want in your hosts.allow file you should then make the following entry into your hosts.deny:


By making this entry you insure that you haven’t missed anything and that only the services mentioned in the hosts.allow file are going to be allowed.

Now that we have the basics down lets take a look at making some entries in the hosts.allow file. Our first entry should be for our local machine. After all we don’t want to lock ourselves out of our own machine. This entry looks like this:

ALL : [::1}

The entry [::1] is for IPv6 addresses.

For our next entry let’s use sshd. We’ve already checked above that sshd will use tcpwrappers so now we must decide from which machines or networks we will allow the ssh connection. If I am on the network I may want all of the machines on the network to be able connect to my machine over ssh. In that case I would make an entry like the following:

sshd : 192.168.0.

Notice the dot at the end of the ip. This must be in place to insure that all of the machines can connect.

Using the same scenario I want all of the machines on the network to connect except for and I would then make an entry like the following:

sshd : 192.168.0. EXCEPT,

I am now letting everyone on the network login via ssh except for those two machines.

This should help you get started in locking down your machines so that only the services you want are allowed. Don’t forget that you can use hostnames and leading dot domains such as


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: