Skip to content »
ITS and UVa logos for printed output

ITS UNIX Systems

Editing hosts.allow and hosts.deny Files

To restrict access to your Unix or Linux machine, you must modify the /etc/hosts.allow and /etc/host.deny files. These files are used by the tcpd (tcp wrapper) and sshd programs to decide whether or not to accept a connection coming in from another IP address. ITS recommends that to start with, you restrict access to only those network addresses you are certain should be allowed access. The following two example files allow connections from any address in the virginia.edu network domain, but no others.

/etc/hosts.allow

ITS recommends using the configuration shown in the following /etc/hosts.allow file, to permit connections to any services protected by the tcpd or sshd from only systems within the virginia.edu domain:

      #
      # hosts.allow   This file describes the names of the hosts which are
      #               allowed to use the local INET services, as decided
      #               by the '/usr/sbin/tcpd' server.
      #
      # Only allow connections within the virginia.edu domain.

      ALL: .virginia.edu

/etc/hosts.deny

Following is ITS's suggested /etc/hosts.deny file content. With this configuration, access to your machine from all hosts is denied, except for those specified in hosts.allow.

      #
      # hosts.deny    This file describes the names of the hosts which are
      #               *not* allowed to use the local INET services, as decided
      #               by the '/usr/sbin/tcpd' server.
      #
      # deny all by default, only allowing hosts or domains listed in hosts.allow.
 
      ALL: ALL

Page Updated: 2012-02-16