I know that hosts.allow and host.deny only affect things that are tcpwrappered, but what does this mean in practice? It seems that most people use hosts.allow to handle ssh and nfs blocking, but what other services are typically handled there? And what services AREN'T typically handled there?

Edit: ok, I realize I did a terrible job of explaining what I was after. No, I'm not interested in knowing if a particular service can be handled by hosts.allow, I want to know if a service will be handled. For example, if I do an lsof -i, I get a nice list of things that are listening for connections to my box. I want to know which ones will be affected if I go stick an entry into hosts.allow (well, I really want to know which ones won't be affected).

Jed Daniels
  • 7,172
  • 2
  • 33
  • 41
  • Too many to name here. I have only 600 characters left. – mailq Nov 10 '11 at 18:10
  • While there might be too many to name them all, can you name a few? – Jed Daniels Nov 10 '11 at 20:43
  • Let's play a game. You name a service and I say "No, this is not affected". And I'm wrong in under 1%. – mailq Nov 11 '11 at 12:11
  • ssh. mysqld. apache2. I could just go get a list of all the services running on a system, but wouldn't it be easier to help me LEARN how to make the determination myself? I don't actually come here for easy answers, but to learn how to get the answer myself. If the howtos on hosts.allow had such information, I wouldn't have had to ask the question. – Jed Daniels Nov 11 '11 at 20:12
  • In this case see Jeffs answer. – mailq Nov 11 '11 at 20:21

2 Answers2


While mailq is right that there are too many to name, maybe you'd appreciate knowing how to determine if your service supports it.

The following command will tell you if the daemon for your service was complied with tcpwrappers:

$ ldd /path/to/daemon | grep libwrap.so

For more information, see http://www.cyberciti.biz/faq/tcp-wrappers-hosts-allow-deny-tutorial/ .

How to determine if the services you are running will be affected.

The output of lsof -i includes the pid number. As root in linux, you can get the path to the service's command in the /proc filesystem and run ldd:

ldd /proc/pid/exe | grep libwrap.so

If the daemon is linked with libwrap.so, then you can look in its man page to find how it works with hosts.allow/hosts.deny.

Jeff Strunk
  • 2,107
  • 1
  • 24
  • 29

Usually inetd or xinetd originated services are affected and those that are running as daemons are not affected. However some daemons choose to check up hosts.allow and this should be checked on daemon basis.

Antti Rytsölä
  • 651
  • 4
  • 9