VanDyke Software

VShell® Server

Try Before You Buy

Every release can be evaluated free of charge for 30 days.

Index

I need to better control access to my server.

To better control access to your server, you can use a combination of access control and connection and port-forwarding filters.

First, access control.  VShell® lets you control access to your server based on the users and groups already defined for your UNIX system.  You can control access to logon, shell, SFTP, remote execution, port forwarding and remote port forwarding.

Access control is defined by an option called "AccessControl" in the vshelld_config file. 

In the following example, only the systems administrator is given access to the shell, SFTP access is restricted to user "alice" and groups "ops" and "faculty", and port forwarding access is granted to users "alice" and "bob" but denied to user "root". This information can be described in a table like the one below.

Users/Groups Shell SFTP RemoteExecution PortForwarding
admin Allow   Allow  
root Deny Deny Deny Deny
alice   Allow   Allow
bob       Allow
ops   Allow    
faculty   Allow    
wheel   Deny    

In VShell, the same information is conveyed more succinctly in an access control list like the one following.

    AccessControl {
        Shell {
            AllowUsers{ admin } #Allow vshell acces to admin
            DenyUsers{ root }  #Deny shell access to root
        }

        SFTP {
            AllowUsers{ alice }  #Allow SFTP access to alice
            AllowGroups{ ops, faculty }  #Allow SFTP access to ops and faculty
            DenyUsers{ root }  #Deny SFTP access to root
            DenyGroups{ wheel }  #Deny SFTP access to wheel
        }

        RemoteExecution{
            AllowUsers{ admin }  #Allow remote execution to admin
            DenyUsers{ root }  #Deny remote execution to root
        }

        PortForwarding{
            AllowUsers{ bob, alice }  #Allow port forwarding to bob and alice
            DenyUsers{ root }  #Deny port forwarding to root
        }
    }

When you use an access control list, any user not explicitly allowed access to a function would be implicitly denied by default.  Therefore, in the above example, the user "root" did not have to be explicitly denied port forwarding, only "bob" and "alice" would be allowed access to that function.  One reason to explicitly deny access to a user is because that if, in the future, that user becomes a member of a group that is allowed access, the user will still be denied because a deny takes precedence over an allow.

The next part of the control equation can be connection filters.  Connection filters are also a configuration option defined in vshelld_config.  Connection filters allow you to allow or deny connections from specific hosts and IP addresses.

In the following example, the host "remotehost.isp.com" and the domain "trusted.com" are allowed to connect while the host at IP address "192.0.0.1" is denied.

    ConnectionFilterTable {
        {host remotehost.isp.com, access allow, comment "remote users access"}
        {domain *.trusted.com, access allow, comment "allows connections from trusted.com"}
        {IP 192.0.0.1, access denied, comment "denies connections from 192.0.0.1"}
    }

Filter lists that include domain or hostname entries will cause vshelld to perform a reverse DNS lookup.  If this lookup fails, the connection is denied.

Warning!  Hostname and domain entries rely on DNS lookup and should be used with care.  DNS is an unsecure service and could be used as part of an attack on your system.  You may want to use IP addresses instead.

A third part of the control equation is port-forwarding filters.  Port-forwarding filters are another configuration option defined in vshelld_config.  Port-forwarding filters allow you to limit server access by specified hosts or IP addresses.

The following example allows port-forwarding access to any port in the isp.com domain, and only allows access to port 80 on www.trusted.com.

    PortForwardFilterTable {
        {domain *.isp.com, port 0, access allow,
        comment "allow port forwarding to any port in the isp.com domain"}
        {host www.trusted.com, port 80, access allow,
        comment "only allow port forwarding to port 80 on www.trusted.com"}
    }

Each of these options by itself enhances control over access to your server.  Together, they add layers of protection.  An access control list grants access to the users and groups that you want to use your server and blocks those that you don't.  Connection filters then shield your server even more by controlling the hosts and domains that can connect to it.  And finally, port-forward filters limit the access your approved users have to other hosts.  In our examples above, only the users "bob" and "alice" are allowed to connect to your server (via a trusted connection) and port forward through your server; and then, only to the specified ports on approved hosts.

For detailed information on access lists and filters, refer to the vshelld_config (5) man page.


Three Fast Ways to Learn More About VShell Server For Windows and UNIX

Tell me more. Email us your questions about putting VShell to work for your organization.

Try it today! Download a free 30-day evaluation copy of VShell for Windows or UNIX.

Talk to us. Let us help define the right VShell server solution for your company.