source: trunk/minix/man/man5/serv.access.5@ 11

Last change on this file since 11 was 9, checked in by Mattia Monga, 14 years ago

Minix 3.1.2a

File size: 4.2 KB
RevLine 
[9]1.TH SERV.ACCESS 5
2.SH NAME
3serv.access \- Internet service access list
4.SH SYNOPSIS
5.B /etc/serv.access
6.SH DESCRIPTION
7.de SP
8.if t .sp 0.4
9.if n .sp
10..
11The
12.B serv.access
13file contains a list of rules that guide the access checks made by the
14.BR servxcheck (3)
15function. The file is a text file containing entries that look as follows:
16.PP
17.RS
18.I service1 service2
19.RB ... :
20.I check1 check2
21.RB ... ;
22.RE
23.PP
24Each of the service names is a service name from the
25.B /etc/services
26file. The same names are used in the
27.B /etc/inetd.conf
28configuration file that guides
29.BR inetd (8).
30.PP
31The checks may look as follows:
32.PP
33.BI +
34.br
35.BI -
36.RS
37Allow all, or allow none. Used to explicitly set the initial state.
38.RE
39.PP
40.BI + name
41.RS
42Grant access to one of the services if the host name of the remote system
43matches
44.BR name .
45.RE
46.SP
47.BI \- name
48.RS
49Deny access to one of the services if the host name of the remote system
50matches
51.BR name .
52.RE
53.PP
54.BI + ipaddr
55.br
56.BI \- ipaddr
57.br
58.BI + netaddr / len
59.br
60.BI \- netaddr / len
61.RS
62Grants or denies access to a remote host with IP address
63.IR ipaddr ,
64or the remote host whose IP address is within the network
65.IR netaddr .
66.I Len
67tells the number of bits used for the network address, i.e. the top
68.I len
69bits of the network address must equal the host address.
70.RE
71.PP
72.BR log
73.RS
74This is not a check, but a flag that instruct
75.B servxcheck()
76to log the result of the access check whether it succeeds or not to
77.BR /usr/adm/log .
78By default only failure is logged.
79.RE
80.PP
81The first "+" or "\-" access check sets the tone. Read it as "access denied
82unless +...", or "access granted unless \-...". An access check will
83therefore almost always start with a "+" check. To make the initial state
84clear you can start with a lone "+" or "\-". Checks are done from left
85to right. A check that doesn't match does not change the outcome. A check
86that can't change the outcome is skipped.
87.PP
88Both the service and the host names may contain the
89.B "\(**"
90wildcard that matches any number of characters including none. Letters are
91compared ignoring case. A service name may appear in more than one rule,
92but a service mentioned explicitly is not matched by wildcard patterns in
93later rules.
94.PP
95A check for a hostname causes
96.B servxcheck()
97to do a reverse lookup on the IP address of the remote host to find its
98name. This name is then looked up to find the host's IP address(es).
99If those lookups fail then all
100.BI \- name
101checks cause access to be denied, and no
102.BI + name
103check grants access.
104The DNS lookup failures may be a
105misconfiguration, but could indicate a break-in attempt from a badly
106maintained host. You can use a simple "+*" in an otherwise empty list to
107just deny misconfigured hosts.
108.PP
109An IP or network address check is simply done on the remote hosts IP
110address. Such a check has no overhead, but a
111.B log
112flag will cause a reverse lookup anyway.
113.PP
114Comments start with "#" and continue until end of line.
115.SH EXAMPLES
116Example access file on a machine that offers most services only to hosts within
117the cs.vu.nl domain, and news (nntp) only to two machines and a specific
118network.
119.PP
120.RS
121.nf
122.ta +2.2i +.4i
123# Service # Access list
124login shell: +*.cs.vu.nl log;
125telnet pop smtp finger: + log;
126nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl
127 +172.16.102.0/24 log;
128*: +*.cs.vu.nl;
129.fi
130.RE
131.PP
132More paranoid example that limits all services by default, but allows ftp and
133http to the world:
134.PP
135.RS
136.nf
137.ta +2.2i +.4i
138# Service # Access list
139ftp http: +;
140smtp finger: + log;
141nntp: +flotsam.cs.vu.nl +jetsam.cs.vu.nl
142 +172.16.102.0/24 log;
143*: +*.cs.vu.nl log;
144.fi
145.RE
146.PP
147(Note that the last rule doesn't match any of the services mentioned
148explicitly earlier.)
149.SH FILES
150.TP 25n
151.B /etc/serv.access
152The service access check file.
153.SH "SEE ALSO"
154.BR servxcheck (3),
155.BR services (5),
156.BR inetd.conf (5).
157.SH NOTES
158It may be wise not to put checks on telnet. It is reasonably secure, since
159it always requires a password, and your only way in if things are seriously
160hosed.
161.SH BUGS
162IP and DNS based access checks will stop most crackers, but not the really
163determined ones. Luckily MINIX 3 is sufficiently strange to thwart the well
164known cracking schemes. But don't ever allow yourself to feel secure.
165.SH AUTHOR
166Kees J. Bot <kjb@cs.vu.nl>
Note: See TracBrowser for help on using the repository browser.