minix/man/man5/serv.access.5

166 lines
4.2 KiB
Groff

.TH SERV.ACCESS 5
.SH NAME
serv.access \- Internet service access list
.SH SYNOPSIS
.B /etc/serv.access
.SH DESCRIPTION
.de SP
.if t .sp 0.4
.if n .sp
..
The
.B serv.access
file contains a list of rules that guide the access checks made by the
.BR servxcheck (3)
function. The file is a text file containing entries that look as follows:
.PP
.RS
.I service1 service2
.RB ... :
.I check1 check2
.RB ... ;
.RE
.PP
Each of the service names is a service name from the
.B /etc/services
file. The same names are used in the
.B /etc/inetd.conf
configuration file that guides
.BR inetd (8).
.PP
The checks may look as follows:
.PP
.BI +
.br
.BI -
.RS
Allow all, or allow none. Used to explicitly set the initial state.
.RE
.PP
.BI + name
.RS
Grant access to one of the services if the host name of the remote system
matches
.BR name .
.RE
.SP
.BI \- name
.RS
Deny access to one of the services if the host name of the remote system
matches
.BR name .
.RE
.PP
.BI + ipaddr
.br
.BI \- ipaddr
.br
.BI + netaddr / len
.br
.BI \- netaddr / len
.RS
Grants or denies access to a remote host with IP address
.IR ipaddr ,
or the remote host whose IP address is within the network
.IR netaddr .
.I Len
tells the number of bits used for the network address, i.e. the top
.I len
bits of the network address must equal the host address.
.RE
.PP
.BR log
.RS
This is not a check, but a flag that instruct
.B servxcheck()
to log the result of the access check whether it succeeds or not to
.BR /usr/adm/log .
By default only failure is logged.
.RE
.PP
The first "+" or "\-" access check sets the tone. Read it as "access denied
unless +...", or "access granted unless \-...". An access check will
therefore almost always start with a "+" check. To make the initial state
clear you can start with a lone "+" or "\-". Checks are done from left
to right. A check that doesn't match does not change the outcome. A check
that can't change the outcome is skipped.
.PP
Both the service and the host names may contain the
.B "\(**"
wildcard that matches any number of characters including none. Letters are
compared ignoring case. A service name may appear in more than one rule,
but a service mentioned explicitly is not matched by wildcard patterns in
later rules.
.PP
A check for a hostname causes
.B servxcheck()
to do a reverse lookup on the IP address of the remote host to find its
name. This name is then looked up to find the host's IP address(es).
If those lookups fail then all
.BI \- name
checks cause access to be denied, and no
.BI + name
check grants access.
The DNS lookup failures may be a
misconfiguration, but could indicate a break-in attempt from a badly
maintained host. You can use a simple "+*" in an otherwise empty list to
just deny misconfigured hosts.
.PP
An IP or network address check is simply done on the remote hosts IP
address. Such a check has no overhead, but a
.B log
flag will cause a reverse lookup anyway.
.PP
Comments start with "#" and continue until end of line.
.SH EXAMPLES
Example access file on a machine that offers most services only to hosts within
the cs.vu.nl domain, and news (nntp) only to two machines and a specific
network.
.PP
.RS
.nf
.ta +2.2i +.4i
# Service # Access list
login shell: +*.cs.vu.nl log;
telnet pop smtp finger: + log;
nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl
+172.16.102.0/24 log;
*: +*.cs.vu.nl;
.fi
.RE
.PP
More paranoid example that limits all services by default, but allows ftp and
http to the world:
.PP
.RS
.nf
.ta +2.2i +.4i
# Service # Access list
ftp http: +;
smtp finger: + log;
nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl
+172.16.102.0/24 log;
*: +*.cs.vu.nl log;
.fi
.RE
.PP
(Note that the last rule doesn't match any of the services mentioned
explicitly earlier.)
.SH FILES
.TP 25n
.B /etc/serv.access
The service access check file.
.SH "SEE ALSO"
.BR servxcheck (3),
.BR services (5),
.BR inetd.conf (5).
.SH NOTES
It may be wise not to put checks on telnet. It is reasonably secure, since
it always requires a password, and your only way in if things are seriously
hosed.
.SH BUGS
IP and DNS based access checks will stop most crackers, but not the really
determined ones. Luckily MINIX 3 is sufficiently strange to thwart the well
known cracking schemes. But don't ever allow yourself to feel secure.
.SH AUTHOR
Kees J. Bot <kjb@cs.vu.nl>