The Problem
Sometimes you can't take SSH on a server, even if your IP is allowed/whitelisted. This can happen because multiple layers of access control exist in Linux. It’s important to know which rules take precedence so you don’t get locked out.
Problem
2. Basic Linux Access Control: hosts.allow and hosts.deny
/etc/hosts.allow → This file lists IPs or subnets explicitly allowed to connect to services like SSH.
/etc/hosts.deny → This file lists IPs or subnets explicitly denied.
Important:
hosts.allow always takes precedence over hosts.deny.
These LAC rules take precedence over CSF rules, meaning if an IP is blocked here, it will be denied access even if it’s whitelisted in CSF.
- # /etc/hosts.allow
- sshd: 10.0.0.1
- # /etc/hosts.deny
- sshd: 10.0.0.1
IP 10.0.0.1 can still connect to SSH even though it's blocked in hosts.deny.
3. CSF (ConfigServer Security & Firewall)
CSF is a firewall + login failure daemon (LFD) that adds more rules on top of hosts.allow/deny. It controls:
- Which IPs can connect to which ports (including SSH)
- Temporary bans for repeated failed logins.
- Rate limiting to prevent brute force attacks.
CSF Key Files
/etc/csf/csf.allow → The allow list is used to specify IP addresses that should always be permitted to access the server. IPs added to this list are explicitly allowed through the firewall, bypassing many of the checks that might otherwise block access.
/etc/csf/csf.deny → The deny list is used to specify IP addresses that should always be blocked from accessing the server.
Checking an IP
This will show you if the IP is allowed, denied.
Permanently allowing IP
- csf -a 10.0.0.1
- csf -r
Permanently blocking IP
- csf -d 10.0.0.1
- csf -r
Removing an IP from allow/deny
- csf -ar 10.0.0.1 # remove from allow
- csf -dr 10.0.0.1 # remove from deny
- csf -r # apply new rules
Solution
- Check the first layer (Linux access control)
- Is the IP blocked in /etc/hosts.deny ?
- Check the second layer (CSF firewall):
- Is the IP blocked in /etc/csf/csf.deny?
- Check logs if SSH still fails:
- journalctl -u ssh or /var/log/auth.log.
- /var/log/lfd.log for CSF/LFD related bans.