Securing Cockpit access to particular hosts.

Latest response

I have installed cockpit on my home server and currently anyone with home server ip/hostname on the home network can access cockpit interface. I wish to restrict that access to only certain machines on the home network. Is this possible (eg. like using TCP wrappers) ?

Responses

Hi Abhishek,

On the Cockpit login screen a user has to mark the field "Reuse my password for privileged tasks" in order to being able making changes to systems. So, only users with privileged (sudo) administrator rights can make changes to a system, for standard users
all content being shown in Cockpit remains "read-only". :)

Regards,
Christian

Hello, What I am trying to say is that, I am looking for a way to restrict the cockpit access across the network, like I could access it from only certain machines and other machines get access denied.Is that possible?

Yes Abhishek, that's how I understood it - but I don't think it's possible. When the Cockpit service
is installed and enabled on a machine, every user on that machine can access the GUI with a web
browser. Hence I've told you about the elevated privileges, which avoids changes being made on
the system. But if you don't trust the user even when having read access only, then what's left is
to remove Cockpit from the machine. :)

Regards,
Christian

Abhishek, From the looks of the configuration files, you can control the port and which NIC is used for listening, but not control which machines can connect. That is more of a function of the Firewall than the cockpit service. I would recommend that you create a new firewalld zone on the the cockpit server, list the machines, IP addresses, or LANs that need the access, and open the 9090 port to that zone. Then deny the port on other zones. Only those machines in the zone will have access.

Hope that helps, Frank

Thanks Frank, this seems to be a better solution.I'll give it a try. Abhishek

Hi Abhishek,

Alternatively you can log in the servers on which you want to restrict access to the Cockpit interface and disable the Cockpit socket : sudo systemctl disable cockpit.socket
You can (re)enable it for when you want access it yourself :
sudo systemctl enable --now cockpit.socket ... :)

Regards,
Christian