| Appendix |
338
3.
For HST Server, require strong TLS connections to the web server.
TLS 1.0 and TLS 1.1 are vulnerable to attack. Run the following command to require that the client's SSL security
protocol be TLS version 1.2 or higher:
# /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2"
4.
If asperanoded is exposed to internet traffic, run it behind a reverse proxy.
If your Aspera server must expose asperanoded to the internet, such as when setting it up as a IBM Aspera on
Cloud (AoC) node, Aspera strongly recommends protecting it with a reverse proxy. Normally, asperanoded runs
on port 9092, but nodes that are added to AoC must have asperanoded run on port 443, the standard HTTPS port
for secure browser access. Configuring a reverse proxy in front of asperanoded provides additional protection
(such as against DOS attacks) and resource handling for requests to the node's 443 port.
5.
Install Aspera FASP Proxy in a DMZ to isolate your HST Server from the Internet.
For more information, see
IBM Aspera FASP Proxy Admin Guide
Securing the Aspera Applications
Your Aspera products can be configured to limit the extent to which users can connect and interact with the servers.
The instructions for Shares 1.9.x and Shares 2.x are slightly different; see the section for your version.
HST Server
1.
Restrict user permissions with
aspshell
.
By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict
the user's file operations by assigning them to use
aspshell
, which permits only the following operations:
• Running Aspera uploads and downloads to or from this computer.
• Establishing connections between Aspera clients and servers.
• Browsing, listing, creating, renaming, or deleting contents.
These instructions explain one way to change a user account or active directory user account so that it uses the
aspshell
; there may be other ways to do so on your system.
Run the following command to change the user login shell to
aspshell
:
# sudo usermod -s /bin/aspshell
username
Confirm that the user's shell updated by running the following command and looking for
/bin/aspshell
at
the end of the output:
# grep
username
/etc/passwd
username
:x:501:501:...:/home/
username
:/bin/aspshell
Note:
If you use OpenSSH, sssd, and Active Directory for authentication
: To make
aspshell
the default
shell for all domain users, first set up a local account for server administration because this change affects all
domain users. Then open
/etc/sssd/sssd.conf
and change
default_shell
from
/bin/bash
to
/
bin/aspshell
.