serv.access(5)


NAME
     serv.access - Internet service access list

SYNOPSIS
     /etc/serv.access

DESCRIPTION
     The serv.access file contains a list  of  rules  that  guide  the  access
     checks  made  by  the  servxcheck(3)  function.   The file is a text file
     containing entries that look as follows:

          service1 service2 ...:  check1 check2 ...;

     Each of the service names is a service name from the /etc/services  file.
     The  same  names  are used in the /etc/inetd.conf configuration file that
     guides inetd(8).

     The checks may look as follows:

     +
     -
          Allow all, or allow none.  Used to explicitly set the initial state.

     +name
          Grant access to one of the services if the host name of  the  remote
          system matches name.

     -name
          Deny access to one of the services if the host name  of  the  remote
          system matches name.

     +ipaddr
     -ipaddr
     +netaddr/len
     -netaddr/len
          Grants or denies access to a remote host with IP address ipaddr,  or
          the remote host whose IP address is within the network netaddr.  Len
          tells the number of bits used for the network address, i.e. the  top
          len bits of the network address must equal the host address.

     log
          This is not a check, but a flag that instruct  servxcheck()  to  log
          the  result  of  the  access  check  whether  it  succeeds or not to
          /usr/adm/log.  By default only failure is logged.

     The first "+" or "-" access check sets the  tone.   Read  it  as  "access
     denied  unless  +...",  or "access granted unless -...".  An access check
     will therefore almost always start with a "+" check.  To make the initial
     state  clear  you can start with a lone "+" or "-".  Checks are done from
     left to right.  A check that doesn't match does not change  the  outcome.
     A check that can't change the outcome is skipped.

     Both the service and the host names  may  contain  the  *  wildcard  that
     matches  any  number  of characters including none.  Letters are compared
     ignoring case.  A service name may appear in more than one  rule,  but  a
     service mentioned explicitly is not matched by wildcard patterns in later
     rules.

     A check for a hostname causes servxcheck() to do a reverse lookup on  the
     IP address of the remote host to find its name.  This name is then looked
     up to find the host's IP address(es).  If those  lookups  fail  then  all
     -name checks cause access to be denied, and no +name check grants access.
     The DNS lookup failures may be a misconfiguration, but could  indicate  a
     break-in attempt from a badly maintained host.  You can use a simple "+*"
     in an otherwise empty list to just deny misconfigured hosts.

     An IP or network address check is simply done  on  the  remote  hosts  IP
     address.   Such  a  check  has  no  overhead, but a log flag will cause a
     reverse lookup anyway.

     Comments start with "#" and continue until end of line.   The  "\"  is  a
     line  continuation  character.  It, any whitespace or a comment following
     it and a newline are treated as a single space.

EXAMPLES
     Example access file on a machine that offers most services only to  hosts
     within  the  cs.vu.nl  domain, and news (nntp) only to two machines and a
     specific network.

          # Service                 # Access list
          login shell:              +*.cs.vu.nl log;
          telnet pop smtp finger:   + log;
          nntp:                     +flotsam.cs.vu.nl +jetsam.cs.vu.nl
                                         +172.16.102.0/24 log;
          *:                        +*.cs.vu.nl;

     More paranoid example that limits all services by default, but allows ftp
     and http to the world:

          # Service                 # Access list
          ftp http:                 +;
          smtp finger:              + log;
          nntp:                     +flotsam.cs.vu.nl +jetsam.cs.vu.nl
                                         +172.16.102.0/24 log;
          *:                        +*.cs.vu.nl log;

     (Note that the last rule doesn't match  any  of  the  services  mentioned
     explicitly earlier.)


FILES

     /etc/serv.access         The service access check file.

SEE ALSO
     servxcheck(3), services(5), inetd.conf(5).

NOTES
     It may be wise not to put checks on telnet.   It  is  reasonably  secure,
     since  it  always requires a password, and your only way in if things are
     seriously hosed.

BUGS
     IP and DNS based access checks will  stop  most  crackers,  but  not  the
     really  determined ones.  Luckily Minix is sufficiently strange to thwart
     the well known cracking schemes.  But don't ever allow yourself  to  feel
     secure.

AUTHOR
     Kees J. Bot <kjb@cs.vu.nl>