I configured the /etc/hosts.allow
at the machine 192.168.122.50 with the following option.
sshd : ALL EXCEPT 192.168.122.1
and tried ssh root@192.168.122.50
from the machine 192.168.122.1 and I was
able to connect to the machine 192.168.122.50 as root.
Then I added the the following rule to the /etc/hosts.deny
file at 192.168.122.50
sshd : 192.168.122.1
Again, I tried ssh root@192.168.122.50
from the machine 192.168.122.1.
But this time I was not able to connect and I got the error
ssh_exchange_identification: Connection closed by remote host
This made me doubt the actual behaviour of the EXCEPT directive in /etc/hosts.allow
and /etc/hosts.deny
. Below is what I understand from this.
If we put the EXCEPT directive in hosts.allow, it only means that we are not allowing the particular host/network that comes after it but a connection is still possible until we explicitly mention that particular host/network in /etc/hosts.deny
. To put it simply not allowing does not mean denying
If we put the EXCEPT directive in hosts.deny, it means that we are indirectly allowing the particular host/network to make a connection. To put it simply not denying means allowing
Am I right in my judgement?
Note 1: ssh daemon is restarted whenever I make a change in /etc/hosts.allow
and /etc/hosts.deny
even though it is not necessary.
Note 2: I understand that allow has more priority than deny.