Skip to main content
Access control
Last update:

Access control

Control panel

In Selectel, you can manage user access to the infrastructure by using Identity and Access Management (IAM), which checks every request and ensures that only authorized users perform operations on resources.

User access rights to resources are set at the level of user types and roles.Only users with the Account Owner or User Administrator role can add users and modify their data and roles. To simplify user management, you can organize users into groups.

By default, two-factor authent ication is enabled for all users after registration and filling out a profile.With two-factor authentication, you need to enter a password and a one-time confirmation code to log in to your account.You can receive the confirmation code via an application-authenticator or by SMS to the phone number you specified in your profile. Only the Account Owner can disable two-factor authentication.We do not recommend disabling two-factor authentication to avoid the risks associated with account compromise.

You can also set up authentication in your dashboard using Single Sign-On (SSO) technology.To do this, use credential federations, a centralized service for managing organizational structure, setting up employee directory integration, and controlling user access to company resources.When using federation, user data is stored with your Identity Provider (e.g., Keycloak, ADFS, and other SAML-compliant providers).

By default, access to the control panel is allowed from any IP address.However, the Account Owner and User Administrator can set restrictions — users will only be able to log in to the account from IP addresses and subnets that they have added to the list of allowed addresses.

If you need to share access to the control panel or resources with someone else, do not share your data.The Account Owner and User Administrator can create an additional user for control panel access or a service user for program access, see the User Types and Roles instructions for details.

Cloud and dedicated servers

You can connect to cloud servers through the console in the control panel and to dedicated servers through the KVM console.If you connect to the server through other CLIs to provide secure remote access to the infrastructure. connect to the server:

  • via SSH protocol — if you have a Linux server;
  • or via RDP if you have a Windows server.

Configure SSH connection

To securely connect to a Linux cloud or dedicated server, use SSH keys instead of login and password.These are a pair of keys: a private key and a public key. The private key is stored on the local computer and the public key is placed on the server.After configuring SSH connection and disabling password access, only the devices on which the private key is stored will be able to connect to the server, and the server will be protected from bruteforce attacks.

You must create a pair of SSH keys for each administrator and place the public key on a cloud or dedicated server.When creating a key for additional protection, specify a passphrase.

After creating SSH keys, create a user and configure the SSH connection — when creating the server using user data or for a created server through the CLI.If you are using servers with a public IP address, the safest strategy is to configure security settings during the server creation phase using user data.

You can specify user data for cloud and dedicated server.

Example of creating a user and configuring SSH connection using user data for Ubuntu 24.04 LTS 64-bit.

#cloud-config
users:
- name: admin
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    groups: sudo
    shell: /bin/bash
    lock_passwd: true
    ssh_authorized_keys:
    - <<public_ssh_key> admin@test
ssh_pwauth: false

package_update: true

packages:
- ufw

runcmd:
- sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
- sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i 's/^PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
- sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
- systemctl restart ssh
- ufw allow 2222/tcp
- ufw --force enable
- reboot

Here:

  • name: admin — user is created admin;
  • sudo: ['ALL=(ALL) NOPASSWD:ALL']. — allows the user to execute commands via sudo without being prompted for a password;
  • groups: sudo — adds the user to the group sudo;
  • lock_passwd: true — locks password login for user admin;
  • <public_ssh_key> admin@test under ssh_authorized_keys — adds the public SSH key you created earlier. It starts with ssh-rsa.
  • ssh_pwauth: false — disables password login for all users. Access to the server will be possible only via SSH key, and password login will be completely disabled;
  • package_update: true  — updates the apt library;
  • packages: ufw — installs a firewall UFW (Uncomplicated Firewall) which is needed to restrict access to the SSH port;
  • commands with sed -i in the runcmd section  — change the default port 22 to 2222, disable password login and root-user connection, enable key authentication.

Recommendations for using an RDP connection

To securely connect via RDP to a cloud or dedicated Windows server, do not use a public IP address.We recommend using a VPN — such as OpenVPN, WireGuard, or IKEv2/IPsec — to access such servers.To do this, host cloud and dedicated servers on private subnets that are accessible through a separate VPN gateway, or deploy a VPN gateway on the same server.

Use a separate account for each server administrator.

Additional safety tools

To protect servers from unauthorized access, we recommend using additional security tools. Examples of free tools:

Certified security features

To further protect your servers, and if necessary to meet legal requirements, you can use additional certified tamper protection provided as part of a separate service:

Managed Kubernetes

In a Managed Kubernetes cluster, you can manage access to virtual resources using the RBAC Authorization (RBAC) mechanism.RBAC allows you to distribute user roles — create different namespaces for different applications and configure user access to pods in the appropriate namespace.

Cloud databases

In all DBMSs except Redis, you can manage database users and their privileges.For more information about managing users, see the instructions for PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, and Kafka.

One user is automatically created for Redis DBMS.The password for this user is set during cluster creation, and can be changed after cluster creation.

Object Storage

Access to object storage resources is regulated:

When an action request is received in an object store, access is first checked by role model.If the role model allows access, the access policy is checked, if not, access is denied.With an access policy, anything not allowed by the policy rules is denied.

For API or FTP access , issue keys.

To access objects in the container through your own domain via HTTPS, you need to add a TLS (SSL) certificate. You can issue a certificate from any provider.You can manage certificates through the control panel. or Selectel Storage API.