Security optimization
Introduction
Relution is a powerful tool with which users sometimes have extensive authorisations on managed devices. The system should therefore be optimally protected against unauthorised access. The Relution portal can be optimised in terms of security at various points with built-in functions. Added to this is the targeted distribution of necessary authorisations.
Use a secure password
If a new user account is created in Relution, a complex password is suggested here. This can be accepted or changed. In any case, make sure you adhere to the complexity recommendation of the BSI →.
Add a second factor for authentication
Relution supports login with a second factor. Users must configure this themselves for their own account. To do this, click on the user name > Profile at the top right. An MFA token for an authenticator app or email verification can be stored there. Be sure to use this function!
Use access token
In Relution, an access token for using the API can also be stored in the user account profile. This token offers the advantage that no username/password combination needs to be stored in plain text in scripts. In addition, the token can be given an expiry date to ensure that it is not active for longer than is really necessary.
Configuring IP Access Rules & Fail2Ban
In the Global Organisation, both IP access rules and Fail2Ban can be configured underSettings → System Security.
This allows defining rules such as blocking an IP address for a certain period after a number of failed login attempts (e.g. 10).
IP access rules generally control from which IP addresses or networks a login is allowed or blocked. Both single IPs and entire ranges can be defined.
Important note
Before configuring, it should be verified which IP address is used to connect to the server to avoid accidentally locking yourself out.
Meaning of status values
Allowed
- Login is currently possible
- Is automatically set as soon as a login attempt occurs (even if unsuccessful)
- Mainly used for visibility and logging
Permanently allowed
- IP address is explicitly whitelisted
- Takes precedence over other rules
- Remains permanently active
- Recommended for trusted locations (e.g. office or VPN)
Blocked
- IP address is temporarily blocked
- Can be unblocked at any time
Permanently blocked
- IP address is permanently blocked
- No login possible anymore
- Useful for clearly unwanted access attempts
Use of IP ranges
The so-called CIDR prefix defines how large the IP range is that a rule applies to.
| Prefix | Meaning |
|---|---|
/32 | Exactly one single IP address |
/24 | A typical network (e.g. company network) |
Basic rule:
The smaller the number, the larger the covered IP range.
CIDR examples
192.168.1.10/32
→ Affects exactly one single device192.168.1.0/24
→ Affects all devices from192.168.1.1to192.168.1.254
Example: Block everything except allowed IPs
Define trusted IPs
- Define own or known networks
- Configure them as “Permanently allowed”
- Examples:
- Office network
- VPN access
Create global block rule
- Create a rule covering all remaining IP addresses
- Example:
0.0.0.0/0(covers all IPs worldwide) - Status: “Permanently blocked”
Important note
Before activating the global block rule, make sure that your own IP address is correctly set as permanently allowed.
Manage permissions
Relution offers twelve authorisation preconfigurations as standard. Check which functions are active in which authorisation preset. To do this, click on Users > Permissions and pay attention to the entries that have been created by the system. These roles cannot be edited. However, you can create new authorisations at any time and enable the necessary functions for individual users on a fine-grained basis.
The authorisations correlate with the user groups created by Relution.