This system works well with dynamic blocking scripts, such as DenyHosts, and configfile distribution systems, such as Cfengine. Especially if other blocking methods differ between hosts at a site (e.g. kernel-level firewalling means). You'll need to add the following line to /etc/httpd/httpd.conf: Include /etc/httpd/mod_hosts_access.conf LoadModule hosts_access_module lib/httpd/modules/mod_hosts_access.so The /etc/hosts.{allow,deny} access control checking for the "httpd" service can now be enabled or disabled on a per directory basis, by adding HostsAccess directive to its declaration, e.g. again in /etc/httpd/httpd.conf: # First, we configure the "default" to be a very restrictive set of # permissions. # # # HostsAccess On # Options FollowSymLinks # AllowOverride None # To test, restart apache for it to load the module; edit /etc/hosts.allow adding a line like the following: httpd: localhost: deny Access from 'localhost' (127.0.0.1) should now be disallowed, thus requesting the index page should fail, to verify try: lynx -dump localhost The same can be done in a .htaccess file if AllowOverride Limit has been set.