1. Manuals
  2. Brands
  3. IBM Manuals
  4. Server
  5. Aspera HST
  6. Admin manual

Securing The Aspera Applications - IBM Aspera HST Admin Manual

High-speed transfer server
Hide thumbs
Table of Contents

Advertisement

3. For HST Server, require strong TLS connections to the web server.
TLS 1.0 and TLS 1.1 are vulnerable to attack. Run the following command to require that the client's SSL security
protocol be TLS version 1.2 or higher:
# /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2"
4. If asperanoded is exposed to internet traffic, run it behind a reverse proxy.
If your Aspera server must expose asperanoded to the internet, such as when setting it up as a IBM Aspera on
Cloud (AoC) node, Aspera strongly recommends protecting it with a reverse proxy. Normally, asperanoded runs
on port 9092, but nodes that are added to AoC must have asperanoded run on port 443, the standard HTTPS port
for secure browser access. Configuring a reverse proxy in front of asperanoded provides additional protection
(such as against DOS attacks) and resource handling for requests to the node's 443 port.
5. Install Aspera FASP Proxy in a DMZ to isolate your HST Server from the Internet.
For more information, see

Securing the Aspera Applications

Your Aspera products can be configured to limit the extent to which users can connect and interact with the servers.
The instructions for Shares 1.9.x and Shares 2.x are slightly different; see the section for your version.
HST Server
1. Restrict user permissions with aspshell.
By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict
the user's file operations by assigning them to use aspshell, which permits only the following operations:
Running Aspera uploads and downloads to or from this computer.
Establishing connections between Aspera clients and servers.
Browsing, listing, creating, renaming, or deleting contents.
These instructions explain one way to change a user account or active directory user account so that it uses the
aspshell; there may be other ways to do so on your system.
Run the following command to change the user login shell to aspshell:
# sudo usermod -s /bin/aspshell username
Confirm that the user's shell updated by running the following command and looking for /bin/aspshell at
the end of the output:
# grep username /etc/passwd
username:x:501:501:...:/home/username:/bin/aspshell
Note: If you use OpenSSH, sssd, and Active Directory for authentication: To make aspshell the default
shell for all domain users, first set up a local account for server administration because this change affects all
domain users. Then open /etc/sssd/sssd.conf and change default_shell from /bin/bash to /
bin/aspshell.
IBM Aspera FASP Proxy Admin Guide
| Appendix | 338
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for IBM Aspera HST

Related Content for IBM Aspera HST

Table of Contents