##
##  hosts.allow -- TCP Wrappers Host Access Control List
##

#   NOTE: The hosts.deny file is deprecated. Place both 'allow' and
#   'deny' rules in the hosts.allow file. See hosts_options(5) for the
#   format of this file. hosts_access(5) no longer fully applies.

#   Start by allowing everything (this prevents the rest of the file
#   from working, so remove it when you need protection).
#   The rules here work on a "First match wins" basis.
ALL : ALL : allow

#   OpenSSH sshd(8)
#sshd : .evil.cracker.example.com : deny 

#   Protect against simple DNS spoofing attacks by checking that the
#   forward and reverse records for the remote host match. If a mismatch
#   occurs, access is denied, and any positive ident response within 20
#   seconds is logged. No protection is afforded against DNS poisoning,
#   IP spoofing or more complicated attacks. Hosts with no reverse DNS
#   pass this rule.
#ALL : PARANOID : RFC931 20 : deny

#   Allow anything from localhost. Note that an IP address (not a host
#   name) *MUST* be specified for portmap(8).
#ALL : localhost 127.0.0.1 : allow
#ALL : my.machine.example.com 192.168.0.1 : allow

#   The rest of the daemons are protected.
ALL : ALL \
    : severity auth.info \
    : twist /bin/echo "You are not welcome to use %d from %h."