Implementing Access Controls

1 min read Data Protection & Compliance

Implementing Access Controls

Granular access controls ensure only authorized users can connect from approved locations. Combining multiple control mechanisms creates defense in depth against unauthorized access attempts.

Configure user and group restrictions:

# Create SSH users group
sudo groupadd ssh-users

# Add authorized users to group
sudo usermod -a -G ssh-users alice
sudo usermod -a -G ssh-users bob

# Update sshd_config to use group restriction
# AllowGroups ssh-users

Implement IP-based access controls using TCP Wrappers:

# /etc/hosts.allow
# Allow SSH from specific networks
sshd: 192.168.1.0/24  # Local network
sshd: 10.0.0.0/8      # Internal network
sshd: 203.0.113.50    # Specific management IP

# /etc/hosts.deny
# Deny all other SSH connections
sshd: ALL

Advanced access control with Match blocks:

# Add to /etc/ssh/sshd_config
# Different settings for different users/groups

# Restrict external contractors
Match Group contractors
    PasswordAuthentication no
    AllowTcpForwarding no
    PermitTunnel no
    X11Forwarding no
    ForceCommand /usr/bin/validate-contractor-access

# Allow admins from internal network only
Match Group wheel Address 10.0.0.0/8
    PasswordAuthentication no
    AllowTcpForwarding yes
    PermitTunnel yes

# Chroot SFTP users
Match Group sftp-only
    ChrootDirectory /var/sftp/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    PasswordAuthentication no
    X11Forwarding no