View the Most Wanted LQ Wiki articles.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-11-2005, 01:24 PM   #1
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 458

Rep: Reputation: 30
iptables vs hosts.deny

Im sorry if this is too basic of a question but can some quickly and simply tell me the difference between the two? I know the hosts.deny stops the host from using a local service, but assuming you want to block ALL services from that host, why not just block them at the firewall? Is one way prefered over another?

Being a n00b I find it much easier to use hosts.deny but now is as good of a time to learn as any.

Also, after adding an entry to the hosts.deny file, does any service need to be restarted?

Thank you,
Old 01-11-2005, 02:39 PM   #2
Registered: Oct 2004
Location: Rhode Island, USA
Distribution: Slackware... Simplicity is bliss.
Posts: 62

Rep: Reputation: 15

Yes, IPTables block the immediate connection to the service, while hosts.deny does the same.

For a good situation, I did the following:

hosts.deny contained:


SSH <--(I forgot the correct syntax) : DENY EXCEPT

I believe that how I did it. And in my IPTables, port 22 [ssh] was shut down and only open to the IPs:

Do I prefer one? I use both "just-in-case"--They both work effectively, but IPTables seems to be MUCH more flexible because it can also block pings, fin, syn, xmas, smurf & other attacks and probes.

If your looking for a quick and dirty way to learn practical IPtables, take a look at

I hope this helps,


PS- I don't remember the exact syntax I used in hosts.deny (it has been awhile ), so make sure to check out the man pages before putting up the production server.
Old 01-11-2005, 07:56 PM   #3
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 65
Also, it's very important to remember that not all applications include tcp wrappers (hosts.allow/deny) support by default. Certain services like sshd usually have it in the default install, but others like Apache do not in a number of distros, so make sure to check the docs first.

You can run most of them through inetd/xinetd using tcpd so that they use tcp wrappers, otherwise they'll need to be compiled with tcp wrappers support. Unfortunately no errors will be generated if you try and put a non-supported application in hosts.allow/deny, leading many to think that they are secure when they're really not.

Last edited by Capt_Caveman; 01-11-2005 at 07:58 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v. hosts.deny/allow vswr31 Linux - Security 3 04-22-2005 05:16 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 10:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM
Using iptables and hosts.deny? Poetics Linux - Security 8 07-19-2003 03:31 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 02:57 AM

All times are GMT -5. The time now is 02:13 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration