I have Apache2 running on Ubuntu 14.04LTS. To begin securing network access to the machine, I want to start by blocking everything, then make specific allow statements for specific subnets to browse to sites hosted in Apache.

The Ubuntu Server is installed with no packages selected during install, the only packages added after install are: apt-get update; apt-get install apache2, php5 (with additional php5-modules), openssh-server, mysql-client

Following are my /etc/hosts.deny & /etc/hosts.allow settings:

  • /etc/hosts.deny

  • /etc/hosts.allow has no allow entries at all.

I would expect all network protocols to be denied. The symptom is that I can still web browse to sites hosted on the Apache web server even though there is a deny all statement in /etc/hosts.deny

The system was rebooted after the deny entry was added.

Why would /etc/hosts.deny with ALL:ALL be ignored and allow http browsing to sites hosted on the apache web server?

  • 17,978
  • 9
  • 56
  • 104
  • 31
  • 1
  • 2

4 Answers4


In order for tcp wrappers to have effect, you need to launch the corresponding service out of xinetd or have the application link to libwrap. The xinetd daemon is a TCP-wrapped super service.

enter image description here

tcpwrappers compatibility

The first thing to remember is that not every network-based application on your machine is compatible with tcpwrappers. The restrictions on hosts.allow or hosts.deny are only valid if they refer to the tcpwrappers library. How can you find out if your application is compatible? Use this command:

ldd /path/to/binary | grep libwrap (general example)

ldd /usr/sbin/sshd | grep libwrap (shows that the sshd refers to libwrap)

ldd /usr/sbin/apache2 | grep libwrap (show that apache does not refer to libwrap)

In the basic example above we see that the sshd (ssh server) is referring to the libwrap.so, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service. We also see that apache2 does not refer to libwrap.so, so any restrictions outlined there do not apply to apache2 connections. (ie; you could lock down ssh but apache2 is still wide open)

  • 24,720
  • 2
  • 40
  • 69
  • Adding Libwrap to a service, say Apache for example, requires you to compile from source with libwrap added to the source code, correct? +1 for the diagram. – Jason Aug 12 '14 at 02:37

The hosts.allow and hosts.deny file have only limited effectity. It does not apply to the apache application.

However, there are access access control directives within the apache configuration directives to make these type of restrictions.

  • 11,698
  • 28
  • 51
  • 65

To limit your apache server add something of the following to httpd.conf

<Directory />
Order Deny, Allow
Deny from all
#Allow from your ip

If I recall correctly you need mod_access enabled, but it mostly is by default.

NB! You must restart apache.

  • 362
  • 2
  • 13

See https://stackoverflow.com/questions/19445686/ubuntu-server-apache-2-4-6-client-denied-by-server-configuration-php-fpm and Upgrade from Apache 2.2 to Apache 2.4

In Ubuntu 14.04 something has been changed for the Apache Configuration. You must make this modification: Change

Order Deny,Allow
Deny from all


Require all denied