Summary is a linux Pluggable Authentications Module that only allows login from specified ip-addresses, mac-addresses, country-codes or regions.

Licence is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.

Description is not an authentication module, it's a PAM account module. This means that the user must first authenticate by some other method, and pam_ihosts then decides whether the login can be completed, or whether it's denied on the basis of where the connection is coming from. This means that pam_ihosts is only invoked for logins where the user has already progressed beyond authentication. By default denies login for the specified user, but will allow it if the ip-address, mac-address, country-code or internet-registrar for the remote host, matches the specified values. does country-code/registrar lookup via the 'stats' files made available by the regional internet registrars, afrinic, apnic, arin, lacnic and ripencc. These files must be downloaded and supplied to if using it's geolocation features. Apart from country-code/registrar pam_ihosts can also block/allow by ip-address and mac-address, and supports files listing ip-addresses as white/blacklists, or can use DNS blacklist or whitelists like


Allow root login only from 192.168.0.x

account    required user=root syslog allow-ip=192.168.0.*

For all users allow login only from two mac-addresses

account    required user=* allow-mac=ff:c0:a8:e4:99:31,ff:c0:a8:f9:cc:01

Allow root login only from one IP

account    required user=root allow-ip=

For all users other than root, allow login only from ip-addresses in Great Britain.

account    required user=!root region-files=/etc/ip-lists/delegated-afrinic-latest,/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=ripencc:GB

For all users, allow login only from Asia Pacific IPs.

account    required user=* region-files=/etc/ip-lists/delegated-afrinic-latest,/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=apnic:*

Same as above, but perhaps more efficient, only look up regions in the apnic file.

account    required user=* region-files=/etc/ip-lists/delegated-apnic-latest allow-region=apnic:*

For all users, allow login only from Asia Pacific IPs. Use mmap shared memory for the afrinic and lacnic files.

account    required user=* region-files=mmap:/etc/ip-lists/delegated-afrinic-latest,mmap:/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=apnic:*