Linux: hosts.allow, hosts.deny - how do I allow all except hosts mentioned in hosts.deny
Solution 1
You've got it backwards.
It should be like this:
someport : somehost
The syntax is actually more expressive than this: the port and the hosts can be lists, and the port can instead be specified by daemon name instead of port number, for example. Your system ought to have documentation for the format of the file.
And you're right about hosts.allow, it should be empty as the default action is to accept.
Solution 2
You can also use the extended format described in hosts_options(5) and use /etc/hosts.allow only.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 17, 2022Comments
-
Admin almost 2 years
How do I configure hosts.allow and hosts.deny to allow all connections from all hosts except for some hosts/ports specified in hosts.deny?
This is what I have now in these files:
hosts.allow:
ALL:ALL
hosts.deny:
somehost:someport
I want to allow all connections except for somehost:someport, but the above configuration does not work.
EDIT:
Well, I found out in this case hosts.allow should be an empty file, but it's still allowing connections on someport...
-
symcbean over 13 yearsThe hosts.allow/deny stuff only works for servers linked to tcpwrappers. If you don't know if that's the case for your server, try blocking everything and see if you can still connect.
-
-
baronleaky over 13 yearsI now have my hosts.allow file empty and someport:ALL line in hosts.deny - but it still allows connections on someport - I don't know what's wrong now?
-
baronleaky over 13 yearsBTW I straced inetd and tcpd opens and reads contents of the hosts.deny file when something tries connecting on someport.
-
mattdm over 13 yearsI think this is the best approach. Put ALL:ALL in
hosts.deny
, and make exceptions inhosts.allow
. In this case (allow most everything), that means starting with a really large exception -- but that's okay.