Linux /etc/hosts file: mapping and security

Linux /etc/hosts file: mapping and security
Page content

Which files do what?

There are three files within the /etc directory: hosts, hosts.allow, hosts.deny. Each file handles a different task. Here is the breakdown:

/etc/hosts This file maps hostnames to IP addresses. This is always referenced on a local machine prior to DNS. This file is best used for mapping names to internal IP addresses.

/etc/hosts.allow Entries in this file grant access to remote hosts to the local system.

/etc/hosts.deny Entries in this file deny access to remote hosts to the local system.

The three files, when used properly, can simplify access and security on your local system.

/etc/hosts format

A typical entry in the /etc/hosts file will be in the form:

IP_ADDRESS CANONICAL_HOSTNAME ALIAS

If you open your default /etc/hosts file you will see at least one entry:

127.0.0.1 localhost

That is the standard loopback entry and should be left untouched. Any addition to this file should be made below the loopback entry. A standard full entry would look like:

192.168.1.10 mail.internal.net mail

The above entry would map the alias “mail” to the canonical hostname “mail.internal.net”, which would map to the IP address “192.168.1.10”.

You can have as many of these entries in your hosts file as you like. What these do is simplify network connections. Let’s use the above example again. If you have a machine on the same internal network as the “mail” machine, instead of entering “mail.internal.net” or “192.168.1.10” as a configuration or address, you could just use “mail”.

/etc/hosts.allow

The /etc/hosts.allow file grants access to any host listed. The format of the file will be:

SERVICE: HOST

Say, for instance, you want to allow all internal addresses access to all services on a machine. The hosts.allow entry on that machine would look like:

ALL:192.168.1.

The above entry would grant access to all hosts with 192.168.1 as the first sections of the dot-quad address to all services on the machine. If, in this same setup, you wanted to only grant access to secure shell you could enter:

sshd:192.168.1.

Or say you want to allow secure shell access to all machines on your internal network but one at the address 192.168.1.44. For this you could enter:

sshd: 192.168.1. EXCEPT 192.168.1.44

/etc/hosts.deny

If a host does not match anything listed in the /etc/hosts.allow file it then passes through to the _/etc/hosts.deny_file. At this point, if a match is found, that host is then denied access.

The format of the hosts.deny file is:

SERVICE: HOST

If you want to deny all hosts to all services you would enter:

ALL:ALL

in your /etc/hosts.deny file. Of course this would mean no one could get into your machine. This can get in the way of your machine actually functioning, though. If this were a desktop machine it would have a lot of problems getting on line and so forth. You can help this by changing that to:

ALL:ALL EXCEPT localhost

You might think this is a very harsh way of enacting security, but remember - any host with a match in hosts.allow will be granted access. So it is best to grant access to those that need it and restrict from all others than to grant to all and then remove as needed.

Final Thoughts

The /etc/hosts system is a very basic means of security and network mapping. It is simple to use, efficient, and quick to configure. As for security, it’s not a be-all-end-all but a good supplement.