.TH SERV.ACCESS 5 .SH NAME serv.access \- Internet service access list .SH SYNOPSIS .B /etc/serv.access .SH DESCRIPTION .de SP .if t .sp 0.4 .if n .sp .. The .B serv.access file contains a list of rules that guide the access checks made by the .BR servxcheck (3) function. The file is a text file containing entries that look as follows: .PP .RS .I service1 service2 .RB ... : .I check1 check2 .RB ... ; .RE .PP Each of the service names is a service name from the .B /etc/services file. The same names are used in the .B /etc/inetd.conf configuration file that guides .BR inetd (8). .PP The checks may look as follows: .PP .BI + .br .BI - .RS Allow all, or allow none. Used to explicitly set the initial state. .RE .PP .BI + name .RS Grant access to one of the services if the host name of the remote system matches .BR name . .RE .SP .BI \- name .RS Deny access to one of the services if the host name of the remote system matches .BR name . .RE .PP .BI + ipaddr .br .BI \- ipaddr .br .BI + netaddr / len .br .BI \- netaddr / len .RS Grants or denies access to a remote host with IP address .IR ipaddr , or the remote host whose IP address is within the network .IR netaddr . .I Len tells the number of bits used for the network address, i.e. the top .I len bits of the network address must equal the host address. .RE .PP .BR log .RS This is not a check, but a flag that instruct .B servxcheck() to log the result of the access check whether it succeeds or not to .BR /usr/adm/log . By default only failure is logged. .RE .PP The first "+" or "\-" access check sets the tone. Read it as "access denied unless +...", or "access granted unless \-...". An access check will therefore almost always start with a "+" check. To make the initial state clear you can start with a lone "+" or "\-". Checks are done from left to right. A check that doesn't match does not change the outcome. A check that can't change the outcome is skipped. .PP Both the service and the host names may contain the .B "\(**" wildcard that matches any number of characters including none. Letters are compared ignoring case. A service name may appear in more than one rule, but a service mentioned explicitly is not matched by wildcard patterns in later rules. .PP A check for a hostname causes .B servxcheck() to do a reverse lookup on the IP address of the remote host to find its name. This name is then looked up to find the host's IP address(es). If those lookups fail then all .BI \- name checks cause access to be denied, and no .BI + name check grants access. The DNS lookup failures may be a misconfiguration, but could indicate a break-in attempt from a badly maintained host. You can use a simple "+*" in an otherwise empty list to just deny misconfigured hosts. .PP An IP or network address check is simply done on the remote hosts IP address. Such a check has no overhead, but a .B log flag will cause a reverse lookup anyway. .PP Comments start with "#" and continue until end of line. .SH EXAMPLES Example access file on a machine that offers most services only to hosts within the cs.vu.nl domain, and news (nntp) only to two machines and a specific network. .PP .RS .nf .ta +2.2i +.4i # Service # Access list login shell: +*.cs.vu.nl log; telnet pop smtp finger: + log; nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl +172.16.102.0/24 log; *: +*.cs.vu.nl; .fi .RE .PP More paranoid example that limits all services by default, but allows ftp and http to the world: .PP .RS .nf .ta +2.2i +.4i # Service # Access list ftp http: +; smtp finger: + log; nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl +172.16.102.0/24 log; *: +*.cs.vu.nl log; .fi .RE .PP (Note that the last rule doesn't match any of the services mentioned explicitly earlier.) .SH FILES .TP 25n .B /etc/serv.access The service access check file. .SH "SEE ALSO" .BR servxcheck (3), .BR services (5), .BR inetd.conf (5). .SH NOTES It may be wise not to put checks on telnet. It is reasonably secure, since it always requires a password, and your only way in if things are seriously hosed. .SH BUGS IP and DNS based access checks will stop most crackers, but not the really determined ones. Luckily MINIX 3 is sufficiently strange to thwart the well known cracking schemes. But don't ever allow yourself to feel secure. .SH AUTHOR Kees J. Bot