access.conf is the configuration file used to logins to the Linux or Unix systems. This file is locate at /etc/security/ path. With this file logins of users, groups, hosts, tty, network are defined to allows or disallowed status. Each line specifies a rule.
access.conf是用於登錄Linux或Unix系統的配置文件。 該文件位於/etc/security/路徑。 使用此文件,用戶,組,主機,tty,網絡的登錄名被定義為允許或禁止狀態。 每行指定一個規則。
句法 (Syntax)
permission:users/groups:origins
Show Services Using Access.conf
使用Access.conf顯示服務
允許規則(Allow Rule)
As we stated before each line is a rule. The aim of the rules are allowing or denying access with related parameters. Allow rule is sign is + . Each line starting with + means allow. After the sign there is : to delimit rule parameters. In the example we allow some access for the root user.
如前所述,每行都是一條規則。 規則的目的是允許或拒絕具有相關參數的訪問。 允許規則的符號是+ 。 每行以+開頭表示允許。 在標志之后有:分隔規則參數。 在示例中,我們允許root用戶進行某些訪問。
+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
拒絕規則 (Deny Rule)
Deny rule is used to deny access with specified parameters. Deny rules tarts with- sign and delimited with: from the rule parameters. Following example rules denies access for the root account.
拒絕規則用於拒絕具有指定參數的訪問。 從規則參數中拒絕帶有-號的規則rules,並以:分隔。 以下示例規則拒絕對根帳戶的訪問。
- : root : ALL
只允許根訪問 (Allow Only Root Access)
There are different type of access restrictions. One of them is only allowing root user to access to the server. In this rule root user can access from everywhere to the system.
有不同類型的訪問限制。 其中之一是僅允許root用戶訪問服務器。 在此規則中,root用戶可以從任何地方訪問系統。
+ : root : ALL
指定允許的用戶 (Specify Allowed User)
We can specify the user account which can access to the server. We will give the user ismail access right to the server from everywhere.
我們可以指定可以訪問服務器的用戶帳戶。 我們將使用戶ismail從任何地方都可以訪問服務器。
+ : ismail : ALL
指定允許的組 (Specify Allowed Group)
While specifying access for the user name if there area lot of users those can access to the server can be a problem for definition and management. Acess.conf supports Linux user groups. These groups can be used to give access to the server. We assume we have a group named remoteacess and this group members can access to the server from anywhere.
在為用戶名指定訪問權限時(如果有很多用戶可以訪問服務器)可能是定義和管理的問題。 Acess.conf支持Linux用戶組。 這些組可用於授予對服務器的訪問權限。 我們假設有一個名為remoteacess的組,該組成員可以從任何地方訪問服務器。
+ : @admins : ALL
指定允許的主機 (Specify Allowed Hosts)
Another useful option is setting hosts those can be connect to the system. Host names or IP addresses can be specified like below. In the example we only allow IP address 192.168.200.1 to connect to the system.
另一個有用的選項是設置可以連接到系統的主機。 可以如下指定主機名或IP地址。 在該示例中,我們僅允許IP地址192.168.200.1連接到系統。
+ : root : 192.168.200.1
指定允許的網絡 (Specify Allowed Network)
Specifying IP ranges one by one is daunting task. We can use network and netmask specification do define networks to allow access. In the following example we allow root user access from network 10.0.0.0/24 or 10.0.0.0-255 with 10.0.0. expression.
一一指定IP范圍是一項艱巨的任務。 我們可以使用網絡和網絡掩碼規范來定義允許訪問的網絡。 在下面的例子中,我們允許root從網絡用戶訪問10.0.0.0/24或10.0.0.0-255與10.0.0. 表達。
+ : root : 10.0.0.
拒絕僅根訪問 (Deny Only Root Access)
Previous examples we have looked how to allow some users, groups, IP addresses and networks to the system. But security comes from deny operation. Up to new we will look how to deny users with specified parameter to access to the system. In this example user root can not access system remotely from anywhere.
在前面的示例中,我們研究了如何允許某些用戶,組,IP地址和網絡進入系統。 但是安全性來自拒絕操作。 到最新為止,我們將研究如何拒絕具有指定參數的用戶訪問系統。 在此示例中, root用戶無法從任何地方遠程訪問系統。
- : root : ALL
指定拒絕的用戶 (Specify Denied User)
We can specify user to deny access to the system. In this example user ismail can not access to the system from anywhere.
我們可以指定用戶拒絕對系統的訪問。 在此示例中,用戶ismail無法從任何地方訪問系統。
- : ismail : ALL
指定允許的組 (Specify Allowed Group)
As shown previous examples a Linux user group can be defined fo deny access to the system. In the example we will deny access for students group from anywhere.
如前面的示例所示,可以定義Linux用戶組以拒絕訪問系統。 在示例中,我們將拒絕從任何地方訪問students組。
- : @students : ALL
指定拒絕的主機 (Specify Denied Hosts)
We can specify hosts to deny access to the system. We will use same syntax like allow rule but change the rule sign with - . In the example we deny access from 192.168.200.1 to the system.
我們可以指定主機以拒絕對系統的訪問。 我們將使用與allow rule相同的語法,但使用-更改規則符號。 在示例中,我們拒絕從192.168.200.1到系統的訪問。
- : root : 192.168.200.1
指定拒絕的網絡 (Specify Denied Network)
We can specify denied network with - sign, username and the network address. In the example we will deny 10.0.0.0/24 from accessing with root user to the system.
我們可以使用-符號,用戶名和網絡地址指定拒絕的網絡。 在該示例中,我們將拒絕10.0.0.0/24通過root用戶訪問系統。
- : root : 10.0.0.
異常定義 (Exception Definition)
Up to now we have specified and defined the users , host names, groups and networks. We have the ability to except these. In the example we allow all users access to the system except root . We can also specify group names to except.
到目前為止,我們已經指定並定義了用戶,主機名,組和網絡。 我們有能力排除這些。 在該示例中,我們允許除root之外的所有用戶訪問系統。 我們還可以將組名指定為except。
+ : ALL EXCEPT (root) : ALL
全部拒絕 (Deny All)
The readers who worked with firewalls knows the golden rule. After specifying different access rules the best practice is defining last rule as DENY ALL . This will make system very secure. This simply imply that I only allow those connections I defined and deny all others. Put this rule to the end of the rules in access.conf file.
使用防火牆的讀者知道黃金法則。 指定不同的訪問規則后,最佳做法是將最后一個規則定義為DENY ALL 。 這將使系統非常安全。 這僅表示我只允許我定義的那些連接,而拒絕所有其他連接。 將此規則放在access.conf文件中規則的末尾。
- : ALL : ALL
翻譯自: https://www.poftut.com/access-conf-security-configuration-linux-unix/