Searching...

Why hosts.allow not working on CentOS 7 Minimal installation

Updated on November 8, 2017

Here’s a question asked by Gokul, one of the regular reader at Techglimpse – hosts.allow not working on CentOS 7 minimal installation.

Question: I recently installed a minimal version of CentOS on my VPS. After installing I tried configuring hosts.allow to allow TCP connections only from known IP addresses and its ranges. To do that, I generally edit /etc/hosts.allow and allow IP addresses as below:

ALL: 10.180.*.*, 106.*.*.*: allow

But for some reason, I was able to SSH to the server from non-trusted IP address (the one that was not allowed in hosts.allow). It seems like hosts.allow not working on CentOS 7 minimal installation. How to solve this issue? – Gokul

Fix hosts.allow not working on CentOS 7 minimal installation

Generally, hosts.allow will contain rules to allow or deny connections to network services that are controlled by tcp_wrappers library. So if your hosts.allow entries are correct and if it is still not working, then you need to see if tcp_wrappers library is installed in the minimal OS installation. In most cases, the minimal installations may not come with tcp_wrapper library pre-installed. So installing tcp_wrapper might solve the issue.

Install tcp_wrapper library:

Actually the daemon that reads hosts.allow and hosts.deny is tcpd. So you need to check which library provides tcpd daemon as below:

# yum provides tcpd

Sample output:

tcp_wrappers-7.6-77.el7.x86_64 : A security tool which acts as a wrapper for TCP :  daemons
Repo : base
Matched from:
Filename : /usr/sbin/tcpd

The sample output confirms that the tcpd binary is provided by tcp_wrappers library. Install tcp_wrappers library using yum.

# yum install tcpd
:::::::::::::::::::::
Installed:
 tcp_wrappers.x86_64 0:7.6-77.el7

After editing hosts.allow and hosts.deny, start the daemon as below:

# /usr/sbin/tcpd

Check if hosts.allow rightly allows only trusted hosts to access networking services.

Still not working? In most cases, you should always DENY ALL in hosts.deny before allowing in hosts.allow

For example,

What has always worked for me is:
/etc/hosts.deny = ALL: ALL: DENY
/etc/hosts.allow = sshd: 10.168.1.21

Hope it helps.

Tagged:

Was this article helpful?

Yes No

About The Author

Author Profile

David Peter

I love bugs and I love fixing them!

Related Articles

Comments Leave a Comment

Leave a Comment