The VaultOne Connector is an essential component of the VaultOne solution, responsible for intermediating remote sessions and auditing privileged access. This connector is installed on a Linux server provisioned in the customer’s infrastructure (it can also be provisioned in VaultOne’s infrastructure through a service contract). When the server is provisioned in the customer’s infrastructure, VaultOne does not have visibility over its hardware maintenance and security.
To ensure maximum protection and resilience, we have outlined the main recommendations and best practices for securely configuring this server.
1. Basic Security Requirements
Before starting the configuration, make sure the server meets the minimum requirements described in the article:
Additionally, we recommend:
✔ Ensuring that the hardware or virtual environment meets the minimum requirements, as specified in the official documentation.
✔ Applying strict access control policies, limiting who can access the server and restricting unnecessary permissions.
✔ Setting a strong and secure password for server access, following complexity recommendations (at least 15 characters, mixing letters, numbers, and special characters).
✔ Ensuring that the server is isolated in a secure network, preventing unnecessary exposure to public networks or unauthorized external access.
Even though the VaultOne system is hardened by default, the customer remains responsible for securing the infrastructure where this server is installed, including network policies, access control, and continuous monitoring.
2. Secure Access Control
Restricting unnecessary access and applying best practices to minimize risks.
User and access management:
The VaultOne Connector server should not be accessed directly, unless necessary for maintenance.
✔ Create specific users for environment administration and avoid using generic accounts.
✔ Restrict administrative access to authorized users only, ensuring that these accesses are made through VaultOne.
Disable direct root login:
Server access should be performed using a regular user with elevated privileges via sudo. Direct root login should be disabled in SSH to avoid security risks.
To do this, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Change the following line:
PermitRootLogin no
Then restart the SSH service:
sudo systemctl restart sshd
Use SSH keys for remote access:
Password authentication can be disabled and replaced with SSH keys for increased security. Modify the file /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
3. Firewall Configuration and Network Isolation
The server should be isolated and have the minimum number of open ports.
✔ Enable the firewall and allow only necessary ports:
Use the company’s firewall to block unauthorized access.
✔ Network Segmentation:
If possible, place the VaultOne Connector in an isolated network and prevent it from having unrestricted access to other servers.
✔ Connection Monitoring:
Enable detailed firewall logs to monitor potential unauthorized access attempts.
4. Maintenance and Updates
The server must be kept up to date to ensure continuous security.
✔ Applying patches and updates:
The VaultOne system receives periodic security updates. The customer must ensure these updates are applied as necessary.
✔ Continuous monitoring:
If the customer uses monitoring solutions, the VaultOne Connector server should be included in the observability strategy.
The VaultOne Connector plays a key role in securing privileged access. Protecting the server where it is installed is crucial to avoid vulnerabilities and ensure a secure environment.
By following these best practices, your company reduces risks and strengthens the security of its infrastructure.
If you have any questions or need support, please contact the VaultOne team.