hosts_access.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

hosts_access(5) hosts_access(5)

NAME

hosts_access - format of host access control ﬁles

DESCRIPTION

The access control facility for internet services uses access control ﬁles to grant or deny access to its ser-

vices. These ﬁles are deﬁned using a simple access control language based on client (host name/address,

user name) and server (process name, hostname/address) patterns. See the EXAMPLES section for a

quick introduction.

An extended version of the access control language is described in hosts_options(5).

Access Control Files

daemon is the process name of a network daemon process, and

client is the name and/or address of a

host requesting service. Network daemon process names are speciﬁed in the

inetd conﬁguration ﬁle

(

/etc/inetd.conf

). The access control software searches the contents of two ﬁles:

/etc/hosts.allow

and /etc/hosts.deny

The ﬁles are searched in the following order. The search stops with the ﬁrst match:

•

/etc/hosts.allow

ﬁle is checked ﬁrst for a matching (daemon, client) pair. If one is found,

access is granted and the search stops.

•

/etc/hosts.deny ﬁle is checked if no match was found in the

/etc/hosts.allow ﬁle and

access will be denied if a (daemon, client) pair match is found.

• If no (daemon, client) match was found in either access control ﬁle, access will be granted.

A non-existing access control ﬁle is treated as if it were an empty ﬁle. Thus, access control can be turned

off by providing no access control ﬁles.

Access Control Rules

Each access control ﬁle consists of zero or more lines of text. These lines are processed in order of

appearance. The search terminates when a match is found. The following points describe the format of

the access control ﬁle:

• A newline character is ignored when it is preceded by a backslash ("\"). This permits you to

break up long lines so that they are easier to edit.

• Blank lines or lines that begin with a # character are ignored. This permits you to insert com-

ments and whitespace so that the tables are easier to read.

• All other lines should be in the following format. Contents in between

[] square brackets are

optional:

daemon_list

: client_list [ : shell_command

]

daemon_list is a list of one or more daemon process names (argv[0] values ) or wildcards

(see below).

client_list is a list of one or more host names, host addresses, patterns or wildcards (see

below) that will be matched against the client host name or address. NOTE: An

IPv6 address should be enclosed in square brackets

[] without any whitespace.

The more complex forms

daemon@host and user@host are explained in the Server Endpoint Patterns

and Client Username Lookups sections respectively.

List elements must be separated by blanks and/or commas.

With the exception of NIS (YP) netgroup lookups, all access control checks are case-insensitive.

Patterns

The access control language implements the following patterns:

• A string that begins with a dot (

.) character speciﬁes to match the components after the dot. A

host name is matched if the last components of its name match the speciﬁed pattern. For exam-

ple, the pattern .xyz.com matches the host name abc.def.xyz.com.

• A string that ends with a dot (

.) character speciﬁes to match the components before the dot. A

host address is matched if its ﬁrst numeric ﬁelds match the given string. For example, the pat-

tern 192.3. matches the address of (almost) every host (192.3.x.x) on the 192.3 network.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
hosts_access(5) hosts_access(5) NAME hosts_access - format of host access control files DESCRIPTION The access control facility for internet services uses access control files to grant or deny access to its services. These files are defined using a simple access control language based on client (host name/address, user name) and server (process name, hostname/address) patterns. See the EXAMPLES section for a quick introduction.
PAGE 2
hosts_access(5) hosts_access(5) • A string that begins with an at (@) character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names. • An expression of the form n.n.n.n /m.m.m.m is interpreted as a "net/mask" pair. A host address is matched if "net" is equal to the bit-wise AND of the address and the "mask". For example, the net/mask pattern 131.
PAGE 3
hosts_access(5) hosts_access(5) %n(%N) The client (server) host name (or unknown or paranoid). %p The daemon process id. %s Server information: daemon @host, daemon @address, or just a daemon name, depending on how much information is available. %u The client user name (or unknown). %% Expands to a single % character. Characters in % expansions that do not match any alpha-numeric (A-Za-z0-9) or !@%-_=+:,./ characters are replaced by underscores.
PAGE 4
hosts_access(5) hosts_access(5) A positive IDENT lookup result (the client matches KNOWN@host) is less reliable. It is possible for an intruder to spoof both the client connection and the IDENT lookup, although doing so is much harder than spoofing just a client connection. It may also be possible that the client’s IDENT server is lying. NOTE: IDENT lookups do not work with UDP services.
PAGE 5
hosts_access(5) hosts_access(5) WARNING: Do not set traps on your finger daemon, unless you are prepared for infinite finger loops. Service trapping can be especially useful on network firewall systems. The typical network firewall only provides a limited set of services to the outer world. All other services can be trapped just like the above tftp example. The result is an excellent early-warning system.
PAGE 6
(Notes) A (Notes) hA 6 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010