To better control access to your server, you can use a combination of access control and connection and port-forwarding filters.
First, access control. VShell® lets you control access to your server based on the users and groups already defined for your Linux or Mac server. You can control access to logon, shell, SCP, SFTP, FTPS, HTTPS, remote execution, port forwarding, and remote port forwarding.
Access control is defined by an option called "AccessControl" in the vshelld_config file.
FTPS and HTTPS access are controlled in the same way as SFTP.
In the following example, only the systems administrator is given access to the shell, SFTP access is restricted to user "alice" and groups "ops" and "faculty", and port forwarding access is granted to users "alice" and "bob" but denied to user "root". This information can be described in a table like the one below.
| Users/Groups | Shell | SFTP | RemoteExecution | PortForwarding |
|---|---|---|---|---|
| admin | Allow | Allow | ||
| root | Deny | Deny | Deny | Deny |
| alice | Allow | Allow | ||
| bob | Allow | |||
| ops | Allow | |||
| faculty | Allow | |||
| wheel | Deny |
In VShell, the same information is conveyed more succinctly in an access control list like the one following.
AccessControl {
Shell {
AllowUsers{ admin } #Allow vshell acces to admin
DenyUsers{ root } #Deny shell access to root
}
SFTP {
AllowUsers{ alice } #Allow SFTP access to alice
AllowGroups{ ops, faculty } #Allow SFTP access to ops and faculty
DenyUsers{ root } #Deny SFTP access to root
DenyGroups{ wheel } #Deny SFTP access to wheel
}
RemoteExecution{
AllowUsers{ admin } #Allow remote execution to admin
DenyUsers{ root } #Deny remote execution to root
}
PortForwarding{
AllowUsers{ bob, alice } #Allow port forwarding to bob and alice
DenyUsers{ root } #Deny port forwarding to root
}
}
When you use an access control list, any user not explicitly allowed access to a function would be implicitly denied by default. Therefore, in the above example, the user "root" did not have to be explicitly denied port forwarding, only "bob" and "alice" would be allowed access to that function. One reason to explicitly deny access to a user is to prevent that user from being allowed access if in the future they are added to a group that is allowed access. In that case, the user will still be denied access because a deny takes precedence over an allow.
The next part of the control equation can be connection filters. Connection filters are also a configuration option defined in vshelld_config. Connection filters allow you to allow or deny connections from specific hosts and IP addresses.
In the following example, the host "remotehost.isp.com" and the domain "trusted.com" are allowed to connect while the host at IP address "192.0.0.1" is denied.
ConnectionFilterTable {
{host remotehost.isp.com, access allow, comment "remote users access"}
{domain *.trusted.com, access allow, comment "allows connections from trusted.com"}
{IP 192.0.0.1, access denied, comment "denies connections from 192.0.0.1"}
}
Filter lists that include domain or hostname entries will cause vshelld to perform a reverse DNS lookup. If this lookup fails, the connection is denied.
Warning! Hostname and domain entries rely on DNS lookup and should be used with care. DNS is an unsecure service and could be used as part of an attack on your system. You may want to use IP addresses instead.
A third part of the control equation is port-forwarding filters. Port-forwarding filters are another configuration option defined in vshelld_config. Port-forwarding filters allow you to limit server access by specified hosts or IP addresses.
The following example allows port-forwarding access to any port in the isp.com domain, and only allows access to port 80 on www.trusted.com.
PortForwardFilterTable {
{domain *.isp.com, port 0, access allow,
comment "allow port forwarding to any port in the isp.com domain"}
{host www.trusted.com, port 80, access allow,
comment "only allow port forwarding to port 80 on www.trusted.com"}
}
Each of these options by itself enhances control over access to your server. Together, they add layers of protection. An access control list grants access to the users and groups that you want to use your server and blocks those that you don't. Connection filters then shield your server even more by controlling the hosts and domains that can connect to it. And finally, port-forward filters limit the access your approved users have to other hosts. In our examples above, only the users "bob" and "alice" are allowed to connect to your server (via a trusted connection) and port forward through your server; and then, only to the specified ports on approved hosts.
For detailed information on access lists and filters, refer to the vshelld_config (5) man page.
Tell me more. Email us your questions about putting VShell to work for your organization.
Try it today! Download a free evaluation copy of VShell for Windows, Linux, or macOS.
Talk to us. Let us help define the right VShell server solution for your company.
VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.
Here you can control cookies using the checkboxes below. Some cookies are essential for the use of our website and cannot be disabled. Others provide a convenience to the user and, if disabled, may reduce the ease of use of our site. Finally, some cookies provide anonymous analytic tracking data that help us provide the user with a richer browsing experience. You can elect to disable these cookies as well.