hosts.deny format and example on Linux

The hosts.deny file can be used on a Linux system to deny connection attempts from one or more IP addresses, hostnames, or domains. It can work with any TCP wrapped service on your system. The hosts.deny file is used in conjunction with hosts.allow to determine whether a connection attempt gets accepted or denied.

The hosts.deny file is just a plain text configuration file with a rather simple syntax. In this tutorial, you will see an example of the hosts.deny file, as we show you how to format the file for different possible scenarios.

In this tutorial you will learn:

  • What does the hosts.deny file do?
  • How to edit and format the hosts.deny file
hosts.deny format and example on Linux
hosts.deny format and example on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software N/A
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

hosts.deny format and example on Linux

The hosts.deny file contains a list of rules for which hosts or networks are denied access to the specified services inside of the file. The format is to list one rule per line. Below, we will show various examples for rules you can use in the file.

When a connection is attempted, the hosts.allow file is consulted to see whether it will be allowed or not. If it is permitted, then the hosts.deny file is consulted afterwards, to see if there is a rule that specifically denies the connection.
  1. The usual syntax is as follows. Each value is separated by a colon :.
    service : host/network

    You can also supply an option, but this is not as common. We will cover some other niche choices below. More options can be added if necessary, with each one separated by another colon.

    service : host/network [: <option>: <option>: ...]
  2. The following line would deny all traffic to the sshd service. ALL is used as a wildcard.
    sshd : ALL

    As mentioned earlier, rules inside of the hosts.allow file would trigger before this rule. Therefore, the ALL rule can be used as a catch-all for the connections which were not already explicitly accepted.

  3. This line would deny connections from all hosts on the 10. network. Connections from all other hosts can either be accepted by the hosts.allow file, or if no rule applies to other hosts, their connections will be allowed through.
    sshd : 10.
  4. Deny connections from a particular IPv4 and IPv6 address:
    sshd :
    sshd : [2a02:2149:88f1:4c00:9991:9daa:b580:aee1]

    Notice the IPv6 address must be enclosed in [ ] brackets.

  5. Rather than using IPs, you can also specify hostnames to deny connections from.
    sshd :
  6. Deny connections from all hosts using the domain name.
    sshd :
  7. You can also use a wildcard for both the service and the host/network field. This will deny all connections to any service. This should only be used if you already have rules inside of hosts.allow to allow connections from all the hosts or networks from which you need to receive communication.
    ALL : ALL
  8. To deny only local connections, the LOCAL wildcard can be used.
    sshd : LOCAL

  9. The EXCEPT operator can be used to create an exception in an otherwise all encompassing rule. For example, this rule would deny all connections from the domain name, except for one host.
    sshd : EXCEPT

Closing Thoughts

In this tutorial, we saw how to format the hosts.deny with various filtering rules on a Linux system. This can be an effective way to filter traffic for TCP wrapped services, although it has fallen out of common use with the rise of the powerful iptables/nftables firewall built into the Linux kernel.

Comments and Discussions
Linux Forum