Skip to Content

Filter command executed on remote servers using command guard

How to restrict commands that a gateway user can execute on remote servers in Ezeelogin?

Ezeelogin uses IEEE Std 1003.2 (“POSIX.2”) regular expressions in the command guard.

Note: Command guard is an experimental feature (user can bypass command guard by using scripts, up arrow key, tab key, etc).

1. Enable command guard from Ezeelogin GUI > Settings > General > Security > Command Guard > Enable

2. Add a command group from Ezeelogin GUI > Command Guard > Command Groups > Add Group

Click  on the right menu to open add command group form.   

3.  Add command from Ezeelogin GUI > Command Guard > Commands > Add command 

Click    add command form. Enter the name and regular expression for the command you want to add and click 

Refer below example to test if a string matches the regular expression given for a command, click on the test icon towards the right of the command in the command list.  

For example, the following image shows regular expressions to block a user from executing the " kubectl " command with the " delete " option

The following image shows another example of a regular expression to delete files and directories from the command line with '' rm -rf ''.

regular expression

4. Add the command to Command Group from Ezeelogin GUI > Command Guard > Command groupActions > Click on the Commands icon  

5. Edit the user, choose the command group, and Allow / Disallow commands for the user.

Select the command group from the drop down windows and select Allow / Disallow to allow or disallow commands in the command group selected. 

You can also edit the user group, choose the command group, and select Allow / Disallow to allow or disallow commands in the command group. 

This feature is available from Ezeelogin version 7.36.0Refer article to upgrade Ezeelogin to the latest version.

Allow will let the users in the usergroup execute only those commands matching the regular expression of commands in the command group

Disallow will prevent the users in the usergroup from executing any of the commands matching the regular expression of commands in the command group and will let the user execute all other commands. 

How to allow the user to switch when the command guard is enabled?

1. The following image shows how to add the regular expression for the switch user.

2. Add the password of the user in the regular expression field and enable the password button to save it with hashing.

3. Navigate to command guard group -> click on the command's icon and select all commands that need to be added to the group.

4. Edit the user, select the command guard group from the dropdown, and enable allow to allow those commands for that user.

5. Login to the ezsh (Ezeelogin shell) as the same user, type in su - username to switch user, and provide the correct password when prompted. Refer to the below example.


Related Articles

Slowness in SSH Session