# /etc/security/access.conf physcial logins only?

## reddragon

I want to lock my machine to physcial logins only.

I dont want to allow logins from machines on the lan.

```
-:ALL EXCEPT root:tty1

-:ALL EXCEPT (wheel) sync:127.0.0.1

-:(wheel):ALL EXCEPT 127.0.0.1

-:ALL:ALL
```

Will this work?

Edit: probbably a stupid question because im not running an sshd!

----------

## khayyam

 *reddragon wrote:*   

> Edit: probbably a stupid question because im not running an sshd!

 

reddragon ... the obvious question then is how are these non-physical logins to occur? It requires the the means to do so, if that isn't present then it isn't possible.

best ... khay

----------

## Syl20

Considering your access.conf only, I'm not sure it will work as you expect. Make it simple. Double-negations ("-" and "EXCEPT") should be avoided.

For example :

```
+ : root  : cron crond tty1 tty2 tty3 tty4 tty5 tty6

+ : user1 : LOCAL

- : root : ALL

- : ALL  : ALL
```

----------

## reddragon

Thanks, i went with this.

```
+ : root : cron crond tty1 

- : root : ALL

+ : user1 : LOCAL

- : user1 : ALL 

- : ALL  : ALL
```

----------

## depontius

How about simply not starting sshd (or any other such remote access daemon) at boot time?

No listening ports, no remote access.  Firewall it that way if you want, for another security layer.

----------

