How to Allow or Deny Network Access Using `hosts.allow` and `hosts.deny` on Debian 12 Bookworm

Learn how to allow or deny network access using hosts.allow and hosts.deny on Debian 12 Bookworm
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Managing network access is crucial for securing a Linux system, and TCP Wrappers provides a simple but effective way to control access to services. On Debian 12 Bookworm, you can use the /etc/hosts.allow and /etc/hosts.deny files to define which clients can connect to specific services. These files belong to the TCP Wrappers framework, which allows administrators to permit or deny access based on IP addresses, hostnames, or patterns.

In this guide, we’ll explore how to configure these files effectively to enhance the security of your Debian 12 system.

Understanding TCP Wrappers

TCP Wrappers is an access control system that provides host-based security for services using the libwrap library. It examines incoming connection requests before passing them to the requested service.

Many services on Debian 12 still support TCP Wrappers, even though newer access control mechanisms like firewalld and iptables are widely used. Examples of services that may use TCP Wrappers include:

  • SSH (sshd)
  • Telnet (telnetd)
  • FTP (vsftpd, proftpd)
  • Postfix (SMTP server)

Checking TCP Wrappers Support

Before configuring access rules, ensure that the service you want to control supports TCP Wrappers. You can check if a service is linked to libwrap by using:

ldd $(which sshd) | grep libwrap

If you see output containing libwrap.so, it means the service supports TCP Wrappers.

How hosts.allow and hosts.deny Work

Order of Processing

  1. /etc/hosts.allow: Checked first. If a rule allows access, the connection is permitted immediately.
  2. /etc/hosts.deny: Checked only if there is no matching rule in hosts.allow. If a match is found here, the connection is denied.
  3. If a request is not specified in either file, it is allowed by default.

Important: If a rule exists in both files (hosts.allow and hosts.deny), the allow rule takes precedence.

Configuring hosts.allow

The hosts.allow file defines which IP addresses or hostnames can access specific services. The syntax follows this format:

<service>: <client IP or hostname>

Allowing Specific IP Addresses

To allow SSH access from a specific IP address (e.g., 192.168.1.100):

echo 'sshd: 192.168.1.100' | sudo tee -a /etc/hosts.allow

To allow multiple IP addresses:

echo 'sshd: 192.168.1.100 192.168.1.101' | sudo tee -a /etc/hosts.allow

Allowing an Entire Network

To permit access from all devices in the 192.168.1.0/24 network:

echo 'sshd: 192.168.1.' | sudo tee -a /etc/hosts.allow

Allowing Access by Hostname

If you want to allow a specific hostname (e.g., trustedhost.example.com):

echo 'sshd: trustedhost.example.com' | sudo tee -a /etc/hosts.allow

Allowing All Users

To allow all connections to a service:

echo 'sshd: ALL' | sudo tee -a /etc/hosts.allow

Configuring hosts.deny

The hosts.deny file defines which clients are denied access to services. The syntax is similar to hosts.allow:

<service>: <client IP or hostname>

Denying Specific IP Addresses

To block SSH access from 192.168.1.200:

echo 'sshd: 192.168.1.200' | sudo tee -a /etc/hosts.deny

Denying an Entire Network

To deny access from all devices in the 192.168.2.0/24 network:

echo 'sshd: 192.168.2.' | sudo tee -a /etc/hosts.deny

Denying All Users

To deny all access by default (useful if you only want to allow specific connections in hosts.allow):

echo 'ALL: ALL' | sudo tee -a /etc/hosts.deny

Verifying the Configuration

After modifying hosts.allow or hosts.deny, restart the affected service to apply changes. For SSH:

sudo systemctl restart ssh

To test if access is granted or denied, try connecting from different IP addresses using:

ssh user@your-server-ip

If access is denied, you may see:

Permission denied (publickey,password).

Best Practices for Using TCP Wrappers

  • Use hosts.allow for whitelisting and hosts.deny for blacklisting.
  • Minimize the use of ALL: ALL in hosts.deny, as it can inadvertently block access to critical services.
  • Always test changes before applying them in a production environment.
  • Combine TCP Wrappers with a firewall (e.g., UFW, iptables) for layered security.

Alternative: Using iptables for Access Control

Since TCP Wrappers is becoming less common, you may also consider iptables to restrict network access. For example, to allow only 192.168.1.100 to access SSH:

sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

To make the rules persistent:

sudo apt install iptables-persistent
sudo netfilter-persistent save

Conclusion

Using hosts.allow and hosts.deny, you can effectively manage access control for various services on Debian 12 Bookworm. While TCP Wrappers provide a simple way to permit or restrict access based on IP addresses and hostnames, they should be used alongside modern security tools like iptables or firewalld for enhanced protection.

By implementing these best practices, you can safeguard your system from unauthorized access while ensuring seamless access for trusted users.


< How to Block Specific IPs Using iptables on Debian 12 BookwormHow to Disable Network Interfaces on Boot in Debian 12 Bookworm >