Similar to the previous post…this was the method I tried first to block some spammy IP addresses connecting to Apache (they were not spammy enough for me to worry about the resource-usage difference between hosts.deny and iptables – it is better using ufw/iptables), and it didn’t work.
I found an awesome forum post describing why that I’d like to save for future reference.
Files hosts.allow and hosts.deny work through a daemon (a program running in the background) called inetd. (On some systems, xinetd is used.) Other files used by inetd are /etc/services and /etc/inetd.conf. The purpose of inetd is to listen on various ports; when it accepts a connection on one of these ports, it fires up the appropriate service.
You can set up your system so that one of the services that inetd passes off connections to is a web server. For the purpose of efficiency, though, most systems do not have their web servers set up that way; they listen directly to the appropriate ports (usually port 80 at least).
If your web server is configured so that it listens directly to the appropriate ports, then inetd is not offering the protection you request in file hosts.deny. There’s nothing wrong with this; you just have to configure your web server (Apache, in your case?) to provide the appropriate protection.