Access.conf Security Configuration For Linux and Unix
access.conf is the configuration file used to logins to the Linux or Unix systems. This file is locate at
/etc/security/ path. With this file logins of users, groups, hosts, tty, network are defined to allows or disallowed status. Each line specifies a rule.
Show Services Using Access.conf
As we stated before each line is a rule. The aim of the rules are allowing or denying access with related parameters. Allow rule is sign is
+ . Each line starting with
+ means allow. After the sign there is
: to delimit rule parameters. In the example we allow some access for the
+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
Deny rule is used to deny access with specified parameters. Deny rules tarts with
- sign and delimited with
: from the rule parameters. Following example rules denies access for the root account.
- : root : ALL
Allow Only Root Access
There are different type of access restrictions. One of them is only allowing root user to access to the server. In this rule root user can access from everywhere to the system.
+ : root : ALL
Specify Allowed User
We can specify the user account which can access to the server. We will give the user
ismail access right to the server from everywhere.
+ : ismail : ALL
Specify Allowed Group
While specifying access for the user name if there area lot of users those can access to the server can be a problem for definition and management. Acess.conf supports Linux user groups. These groups can be used to give access to the server. We assume we have a group named
remoteacess and this group members can access to the server from anywhere.
+ : @admins : ALL
Specify Allowed Hosts
Another useful option is setting hosts those can be connect to the system. Host names or IP addresses can be specified like below. In the example we only allow IP address
192.168.200.1 to connect to the system.
+ : root : 192.168.200.1
Specify Allowed Network
Specifying IP ranges one by one is daunting task. We can use network and netmask specification do define networks to allow access. In the following example we allow
root user access from network
+ : root : 10.0.0.
Deny Only Root Access
Previous examples we have looked how to allow some users, groups, IP addresses and networks to the system. But security comes from deny operation. Up to new we will look how to deny users with specified parameter to access to the system. In this example user
root can not access system remotely from anywhere.
- : root : ALL
Specify Denied User
We can specify user to deny access to the system. In this example user
ismail can not access to the system from anywhere.
- : ismail : ALL
Specify Allowed Group
As shown previous examples a Linux user group can be defined fo deny access to the system. In the example we will deny access for
students group from anywhere.
- : @students : ALL
Specify Denied Hosts
We can specify hosts to deny access to the system. We will use same syntax like allow rule but change the rule sign with
- . In the example we deny access from
192.168.200.1 to the system.
- : root : 192.168.200.1
Specify Denied Network
We can specify denied network with
- sign, username and the network address. In the example we will deny
10.0.0.0/24 from accessing with root user to the system.
- : root : 10.0.0.
Up to now we have specified and defined the users , host names, groups and networks. We have the ability to except these. In the example we allow all users access to the system except
root . We can also specify group names to except.
+ : ALL EXCEPT (root) : ALL
The readers who worked with firewalls knows the golden rule. After specifying different access rules the best practice is defining last rule as
DENY ALL . This will make system very secure. This simply imply that I only allow those connections I defined and deny all others. Put this rule to the end of the rules in
- : ALL : ALL