Support

Support for business applications

Kaspersky Security Center 15 Linux

Configuring Administration Server

Configuring an allowlist of IP addresses to log in to Kaspersky Security Center Linux

Kaspersky Security Center
Нет результатов
Нет результатов
Online Help
FAQ Download Buy Renew Forum Contact support Recovery tools Product videos

Configuring an allowlist of IP addresses to log in to Kaspersky Security Center Linux

May 3, 2024

ID 231374

Get as PDF

By default, users can log in to Kaspersky Security Center Linux under any device where they can open Kaspersky Security Center Web Console. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center Linux account, he or she will not be able to log in to Kaspersky Security Center Linux because the IP address of the intruder's device is not in the allowlist.

The IP address is verified when a user logs in to Kaspersky Security Center Linux or runs an application that interacts with Administration Server via Kaspersky Security Center Linux OpenAPI. At this moment, a user's device tries to establish a connection with Administration Server. If the IP address of the device is not in the allowlist, an authentication error occurs and the KLAUD_EV_SERVERCONNECT event notifies you that a connection with Administration Server has not been established.

Requirements for an allowlist of IP addresses

IP addresses are verified only when the following applications try to connect to Administration Server:

  • Kaspersky Security Center Web Console Server

    If you sign in to Kaspersky Security Center Linux through Kaspersky Security Center Web Console, you can configure a firewall on the device where Kaspersky Security Center Web Console Server is installed using the standard means of operating system. Then, if someone tries to log in to Kaspersky Security Center Linux on one device and Kaspersky Security Center Web Console Server is installed on another device, a firewall helps prevent intruders from interfering.

  • Applications interacting with Administration Server via klakaut automation objects
  • Applications interacting with Administration Server via OpenAPI, such as Kaspersky Anti Targeted Attack Platform or Kaspersky Security for Virtualization

Therefore, specify addresses of the devices on which the applications listed above are installed.

You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.

How to establish an allowlist of IP addresses

If you have not set an allowlist earlier, follow the instructions below.

To establish an allowlist of IP addresses to log in to Kaspersky Security Center Linux:

  1. On the Administration Server device, run the command prompt under an account with administrator rights.
  2. Change your current directory to the Kaspersky Security Center Linux installation folder (usually, /opt/kaspersky/ksc64/sbin).
  3. Enter the following command under the root account:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

    Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a semicolon.

    Example of how to allow only one device to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -t s

    Example of how to allow multiple devices to connect to Administration Server:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 198.51.100.0; 203.0.113.0" -t s

  4. Restart the Administration Server service.

You can find out whether you have successfully configured the allowlist of IP addresses in the Syslog Event Log on the Administration Server.

How to change an allowlist of IP addresses

You can change an allowlist just as you did when you first established it. For this purpose, run the same command and specify a new allowlist:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this, enter the following command at the command prompt:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 203.0.113.0" -t s

Do not forget to restart the Administration Server service.

How to reset a configured allowlist of IP addresses

To reset an already configured allowlist of IP addresses:

  1. Enter the following command at the command prompt under the root account:

    klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s

  2. Restart the Administration Server service.

After that, IP addresses are not verified any more.

Kaspersky Endpoint Security for Linux: High protection without performance compromising
Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.