You can configure SAP Host agent only to accept network connections for specific IP addresses or host names.
You can achieve this in one of the following ways:
service/hostname = <host_name>
or
service/hostname = <IP_Address>
service/hostname = 127.0.0.1
saphostexec -restart
SAP Host Agent should now bind only the specified IP address.
On Linux, you can check this as follows:
/usr/sap/hostctrl/exe# netstat -tlnp | grep 1128
tcp 00 127.0.0.1:11280 0.0.0:* LISTEN 8368/sapstartsrv
/usr/sap/hostctrl/exe#
You can see that only 127.0.0.1 is bound
service/http/acl_file = <Path_to_an_ACL_file> or service/https/acl_file = <Path_to_an_ACL_file> if you use HTTPS.
You can also set both values.saphostexec -restart
The ACL file should be configured as specified in SAP Note 1495075 .
SAP Host Agent will still bind all available addresses, but as soon a client tries to connect, it is either refused or accepted according to the ACL file configuration.