access.conf is the configuration file used to logins to the Linux or Unix systems. This file is locate at /etc/security/ path.  With this file logins of users, groups, hosts, tty, network are defined to allows or disallowed status. Each line specifies a rule.

Syntax

permission:users/groups:origins

Show Services Using Access.conf

Allow Rule

As we stated before each line is a rule. The aim of the rules are allowing or denying access with related parameters. Allow rule is sign is + . Each line starting with + means allow. After the sign there is : to delimit rule parameters. In the example we allow some access for the root user.

+ : root : 192.168.200.1 192.168.200.4 192.168.200.9

Deny Rule

Deny rule is used to deny access with specified parameters. Deny rules tarts with- sign and delimited with: from the rule parameters. Following example rules denies access for the root account.

- : root : ALL

Allow Only Root Access

There are different type of access restrictions. One of them is only allowing root user to access to the server. In this rule root user can access from everywhere to the system.

+ : root : ALL

Specify Allowed User

We can specify the user account which can access to the server. We will give the user ismail access right to the server from everywhere.

+ : ismail : ALL

Specify Allowed Group

While specifying access for the user name if there area lot of users those can access to the server can be a problem for definition and management. Acess.conf supports Linux user groups. These groups can be used to give access to the server. We assume we have a group named remoteacess and this group members can access to the server from anywhere.

+ : @admins : ALL

Specify Allowed Hosts

Another useful option is setting hosts those can be connect to the system. Host names or IP addresses can be specified like below. In the example we only allow IP address 192.168.200.1 to connect to the system.

+ : root : 192.168.200.1

Specify Allowed Network

Specifying IP ranges one by one is daunting task. We can use network and netmask specification do define networks to allow access. In the following example we allow root user access from network 10.0.0.0/24 or 10.0.0.0-255 with 10.0.0. expression.

+ : root : 10.0.0.

Deny Only Root Access

Previous examples we have looked how to allow some users, groups, IP addresses and networks to the system. But security comes from deny operation. Up to new we will look how to deny users with specified parameter to access to the system. In this example user root can not access system remotely from anywhere.

- : root : ALL

Specify Denied User

We can specify user to deny access to the system. In this example user ismail can not access to the system from anywhere.

- : ismail : ALL

Specify Allowed Group

As shown previous examples a Linux user group can be defined fo deny access to the system. In the example we will deny access for students group from anywhere.

- : @students : ALL

Specify Denied Hosts

We can specify hosts to deny access to the system. We will use same syntax like allow rule but change the rule sign with - . In the example we  deny access from 192.168.200.1 to the system.

- : root : 192.168.200.1

Specify Denied Network

We can specify denied network with - sign, username and the network address. In the example we will deny 10.0.0.0/24 from accessing with root user to the system.

- : root : 10.0.0.

Exception Definition

Up to now we have specified and defined the users , host names, groups and networks. We have the ability to except these. In the example we allow all users access to the system except root . We can also specify group names to except.

+ : ALL EXCEPT (root) : ALL

Deny All

The readers who worked with firewalls knows the golden rule. After specifying different access rules the best practice is defining last rule as DENY ALL . This will make system very secure. This simply imply that I only allow those connections I defined and deny all others. Put this rule to the end of the rules in access.conf file.

- : ALL : ALL