By default, users can log in to Kaspersky Security Center Linux under any device where they can open Kaspersky Security Center Web Console. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center Linux account, he or she will not be able to log in to Kaspersky Security Center Linux because the IP address of the intruder's device is not in the allowlist.
The IP address is verified when a user logs in to Kaspersky Security Center Linux or runs an application that interacts with Administration Server via Kaspersky Security Center Linux OpenAPI. At this moment, a user's device tries to establish a connection with Administration Server. If the IP address of the device is not in the allowlist, an authentication error occurs and the KLAUD_EV_SERVERCONNECT event notifies you that a connection with Administration Server has not been established.
Requirements for an allowlist of IP addresses
IP addresses are verified only when the following applications try to connect to Administration Server:
If you sign in to Kaspersky Security Center Linux through Kaspersky Security Center Web Console, you can configure a firewall on the device where Kaspersky Security Center Web Console Server is installed using the standard means of operating system. Then, if someone tries to log in to Kaspersky Security Center Linux on one device and Kaspersky Security Center Web Console Server is installed on another device, a firewall helps prevent intruders from interfering.
Therefore, specify addresses of the devices on which the applications listed above are installed.
You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.
How to establish an allowlist of IP addresses
If you have not set an allowlist earlier, follow the instructions below.
To establish an allowlist of IP addresses to log in to Kaspersky Security Center Linux:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses
>" -t s
Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a semicolon.
Example of how to allow only one device to connect to Administration Server:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -t s
Example of how to allow multiple devices to connect to Administration Server:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 198.51.100.0; 203.0.113.0" -t s
You can find out whether you have successfully configured the allowlist of IP addresses in the Syslog Event Log on the Administration Server.
How to change an allowlist of IP addresses
You can change an allowlist just as you did when you first established it. For this purpose, run the same command and specify a new allowlist:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses
>" -t s
If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this, enter the following command at the command prompt:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 203.0.113.0" -t s
Do not forget to restart the Administration Server service.
How to reset a configured allowlist of IP addresses
To reset an already configured allowlist of IP addresses:
klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s
After that, IP addresses are not verified any more.
Page top