At times you may want to limit access to specific service on your virtual server
for security, or to minmimize the impact of unwanted conntections. By configuring
the virtual servers ~/etc/hosts.allow file you can customize the access rules
for your accoun at the network level keeping overhead at a minimum.
The terms are implications of modifying this file are significant and not for the
inexperienced user, the value and power of this however is a welcome facility to power
users and high traffic businesses.
If you connect to your account by FTP the file is located at:
If you connect to your account by Telnet/SSH the file can be edited by running:
- pico ~/etc/hosts.allow
or
- vi ~/etc/hosts.allow
The basic theory behind this file is to either allow or deny access to sepcific services
on your account with the following syntax:
- SERVICE : HOSTNAME : ACCESS
Here are some examples used on typical virtual servers:
- ALL : 1.2.3.4 : deny
- ALL : ALL : ALLOW
- smtp : 4.3.2.1 : deny
- smtp : ALL : ALLOW
IMPORTANT - the contents of this file are LIVE, there is no command to make changes go live
so alterations should be reviewed as soon as changes are made to ensure traffic is being controlled
correctly.
The following command can be run to test the syntax of the current hosts.allow file on the account,
in a Telnet/SSH session run:
- cd ~/etc
- /usr/sbin/tcpdchk -d
Note the file is processed in order from top to bottom with the first matching line by
service and host name/address being used to either allo wor deny the connection.
Blocking or limiting traffic via this facility provides a more efficient method of controling
service activity, since preventing connteions and access control at the application level
(sendmail for example) requires more server resources to complete.
For an in-depth review of the hosts.allow file FreeBSD offers the following documentation.
Here is an example hosts.allow file, already located on the base virual server installation.
