Table of Contents
- Why Command Filtering Matters
- How JumpServer Access Control Works
- The High-Risk Command Reference List
- Step 1: Create a Command Group
- Step 2: Create a Command Filter
- Step 3: Choose the Right Action
- Understanding Priority (1–100)
- Additional Access Control Rules
- Quick Reference: All Four ACL Types
Why Command Filtering Matters
A single privileged session without guardrails can undo weeks of infrastructure work. Commands like rm -rf /, DROP DATABASE, or mkfs are entirely legitimate in the right hands — but catastrophic when run by mistake or by a compromised account.
Blanket blocking does not work in practice. A database administrator genuinely needs DROP TABLE in some contexts; a sysadmin may need reboot during a maintenance window. What you actually need is a policy layer that can:
- Block the most destructive commands outright
- Route borderline commands through a human approver before execution
- Alert a security team when a sensitive command is attempted
- Log every matched command for audit purposes
JumpServer's Access Control module provides exactly this — a flexible, priority-based rule engine that sits between the user and the asset, evaluating every command before it reaches the target server.
How JumpServer Access Control Works
JumpServer's Access Control operates at four layers:
| ACL Type | What It Controls | Edition |
|---|---|---|
| Command Filter | Commands executed during a session | Community + Enterprise |
| User Login | Who can log in to JumpServer, from where, and when | Community + Enterprise |
| Asset Connection | Who can connect to which asset, when, and from which IP | Enterprise (X-Pack) |
| Data Masking | Which database query result columns are masked | Enterprise (X-Pack) |
| Connection Method | Which connection types (Web CLI, SSH, RDP, etc.) are allowed | Enterprise (X-Pack) |
Command filtering is the core mechanism for blocking high-risk commands and is available in both the Community and Enterprise editions.
How command matching works:
- A user connects to an asset and executes a command.
- JumpServer checks all command filters bound to that combination of user, asset, and account.
- Filters are evaluated in priority order (lower number = evaluated first).
- The first matching rule's action is executed: Deny, Accept, Review, or Alert.
- If no rule matches, the command executes normally.
The High-Risk Command Reference List
The following commands are commonly flagged as high-risk in Linux environments managed by JumpServer. Use these as a starting point when building your command groups. Not all commands should be blocked — configure the action (Deny, Review, or Alert) based on your organization's risk tolerance and operational needs.
Basic System Commands
| Command | Description |
|---|---|
rm |
Removes one or more files or directories |
rmdir |
Removes empty directories |
chattr |
Changes extended file attributes |
su |
Switches user identity |
visudo |
Edits the /etc/sudoers file |
sudo |
Executes commands as another user (default: root) |
shutdown / halt |
Shuts down the system |
poweroff |
Cuts power to the system |
init 0 |
Switches runlevel to 0 (shutdown) |
reboot |
Reboots the system |
init |
Changes the system runlevel |
Disk and Filesystem Commands
| Command | Description |
|---|---|
mount |
Mounts a filesystem |
unmount |
Unmounts a filesystem |
fdisk |
Disk partitioning tool for disks under 2 TB |
parted |
Disk partitioning tool with no size limit |
mkfs |
Formats and creates a Linux filesystem |
mkswap |
Creates a Linux swap partition |
swapon |
Activates a swap partition |
swapoff |
Deactivates a swap partition |
User and Group Management
| Command | Description |
|---|---|
useradd / adduser |
Creates a new user |
usermod |
Modifies an existing user's attributes |
userdel |
Deletes a user account |
passwd |
Changes a user's password |
groupadd |
Creates a new group |
groupdel |
Deletes a group |
chage |
Modifies password expiry settings |
Network Interface Commands
| Command | Description |
|---|---|
ifup |
Brings a network interface up |
ifdown |
Shuts down a network interface |
nmtui |
Interactive tool for modifying network settings |
vi /etc/sysconfig/network-scripts/ifcfg-* |
Directly edits network interface config files |
File Permission Commands
| Command | Description |
|---|---|
chmod |
Changes file or directory permissions |
chown |
Changes file or directory owner and group |
chgrp |
Changes the group ownership of a file |
Shell Built-ins and Process Control
| Command | Description |
|---|---|
alias |
Creates a shell alias |
unalias |
Removes a shell alias |
history |
Displays the command history |
export |
Sets or displays environment variables |
unset |
Deletes a variable or function |
kill |
Terminates a process by PID |
killall / pkill |
Terminates processes by name |
Database Commands
| Command | Description | Risk Level |
|---|---|---|
DROP DATABASE |
Deletes an entire database (irreversible) | Critical |
DROP TABLE |
Deletes a table and all its data | Critical |
TRUNCATE TABLE |
Clears all rows without row-by-row logging | Critical |
DROP USER |
Deletes a database user account | High |
ALTER DATABASE |
Modifies database-level configuration | High |
ALTER TABLE |
Changes table structure (columns, types, constraints) | High |
GRANT |
Grants privileges to a database user | High |
REVOKE |
Revokes privileges from a database user | High |
CREATE USER |
Creates a new database user account | Medium |
ALTER USER |
Modifies a database user's attributes or authentication | Medium |
Step 1: Create a Command Group
A command group is the list of commands (or patterns) that a filter will match against. One filter can reference multiple command groups.
Navigation: Access Control > Command Filter > Command Group tab > Create
| Parameter | Description |
|---|---|
| Name | A descriptive name for this command group |
| Type | Command: exact string match. Regex: regular expression match |
| Content | Multi-line text — each line is one matching rule |
| Case Insensitive | When enabled, matching ignores letter case |
Example: High-risk deletion group
To match rm and its variants, create a command group with type Regex and content:
\brm\b
\brmdir\b
To match exact SQL commands, use type Command and list each command on its own line:
DROP DATABASE
DROP TABLE
TRUNCATE TABLE
Tip: For database commands, enabling Case Insensitive ensures that drop database, DROP DATABASE, and Drop Database are all caught by the same rule.
Step 2: Create a Command Filter
A command filter binds one or more command groups to a specific combination of users, assets, and accounts.
Navigation: Access Control > Command Filter > Command Filter tab > Create
| Parameter | Description |
|---|---|
| Name | A descriptive name for this filter |
| User | All users / Specified users / Attribute filter |
| Asset | All assets / Specified assets / Attribute filter |
| Account | All accounts / Specified accounts |
| Command Group | The command group(s) this filter will match against |
| Action | What happens when a command matches (see below) |
| Priority | 1–100. Lower number = evaluated first. Default: 50 |
Binding logic: The filter applies when the specified user connects to the specified asset using the specified account. When a command is entered, it is evaluated against all matching filters in priority order. The first matching rule's action fires.
Step 3: Choose the Right Action
JumpServer supports four actions for matched commands — not just block or allow:
| Action | Behavior |
|---|---|
| Deny | The command is immediately blocked. The user sees a rejection message. |
| Accept | The command is explicitly allowed. Useful for whitelisting safe commands in a strict environment. |
| Review (Approval) | An approver receives a notification and must approve or reject the command before it executes. |
| Alert | The command executes, but the designated recipients receive an alert notification. |
Practical configuration strategy:
- Use Deny for commands that have no legitimate use case in your environment (e.g.,
mkfson production servers,DROP DATABASEfor read-only accounts). - Use Review for commands that are occasionally necessary but require a second pair of eyes (e.g.,
userdel,chmod 777,GRANT). - Use Alert for commands you want visibility into but do not want to interrupt (e.g.,
history,export,rebootduring business hours).
This layered approach avoids the "blanket ban" problem while still protecting critical systems.
Understanding Priority (1–100)
Every command filter and access control rule in JumpServer has a priority value between 1 and 100. Lower numbers are evaluated first.
When multiple filters match the same user-asset-account combination:
- The filter with the lowest priority number is evaluated first.
- If a command matches a rule in that filter, the action fires and evaluation stops.
- If no rule matches, JumpServer moves to the next filter in priority order.
- If no filter matches at all, the command executes normally.
Example setup:
| Priority | Filter Name | Command Group | Action |
|---|---|---|---|
| 10 | Critical-Block | DROP DATABASE, mkfs, init 0 | Deny |
| 30 | DBA-Review | DROP TABLE, TRUNCATE TABLE, ALTER TABLE | Review |
| 50 | Security-Alert | chmod, chown, GRANT | Alert |
With this setup, DROP DATABASE is blocked immediately (priority 10), DROP TABLE goes to an approver (priority 30), and chmod triggers a notification but still runs (priority 50).
Additional Access Control Rules
User Login Rules
User login rules control who can log in to JumpServer itself, from which IP addresses, and during which time windows.
Navigation: Access Control > User Login > Create
| Parameter | Description |
|---|---|
| Name | Rule name |
| Priority | 1–100, default 50 |
| User | All users / Specified users / Attribute filter |
| IP Group | Comma-separated IPs, CIDR ranges, or IP ranges.* matches all. Example: 192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20 |
| Time Period | Restricts the rule to specific hours or days |
| Action | Deny / Accept / Review (Enterprise) / Notify |
| Active | Enables or disables the rule |
Note: The Review (approval workflow) action for user login is an Enterprise (X-Pack) feature.
Asset Connection Rules (Enterprise)
Asset connection rules add a second review layer specifically for connecting to assets — separate from the command filter that applies during a session.
Navigation: Access Control > Asset Connection > Create
Available actions:
| Action | Behavior |
|---|---|
| Deny | Blocks the connection attempt |
| Accept | Explicitly allows the connection |
| Review | Routes the connection request to an approver |
| Notify | Sends a notification when the connection is made |
| Password Rotation | Automatically rotates the account password after the session ends |
Note: Password Rotation requires adding
CHANGE_SECRET_AFTER_SESSION_END=trueto the JumpServer configuration file and restarting the service.
Data Masking (Enterprise)
Data masking rules apply to database asset sessions. When a query returns results, specified columns are automatically obscured before they reach the user's screen.
Navigation: Access Control > Data Masking > Create
The masking rule uses column names with optional wildcard support:
- Single column:
password— masks only thepasswordcolumn - Multiple columns:
password,secret— masks both columns - Prefix wildcard:
password*— masks all columns whose names start withpassword - Suffix wildcard:
.*password— masks all columns whose names end withpassword
Note: Data masking is not supported for database assets connected via the Magnus component (client mode), except for MySQL.
Connection Method Control (Enterprise)
Connection method rules let you restrict which protocols and interfaces users can use to reach an asset.
Navigation: Access Control > Connection Method > Create
Supported connection methods include Web CLI, Web SFTP, SSH, Web GUI, and database client. The only available action is Deny, which blocks the matched connection method for the specified users.
Quick Reference: All Four ACL Types
| ACL Type | Scope | Actions Available | Edition |
|---|---|---|---|
| Command Filter | Commands within a session | Deny, Accept, Review, Alert | Community + Enterprise |
| User Login | JumpServer login | Deny, Accept, Review*, Notify | Community + Enterprise* |
| Asset Connection | Connecting to an asset | Deny, Accept, Review, Notify, Password Rotation | Enterprise only |
| Data Masking | Database query results | Mask specified columns | Enterprise only |
| Connection Method | Protocol/interface type | Deny | Enterprise only |
*Review action for User Login requires Enterprise (X-Pack).
Start Controlling Privileged Commands With JumpServer
The commands listed in this guide represent some of the highest-risk operations in any Linux environment. Without a policy layer between your operators and your assets, a single mistyped rm -rf or an unreviewed DROP DATABASE can cause damage that takes hours — or days — to recover from.
JumpServer Community Edition ships with full command filtering and user login access control at no cost. The Enterprise edition adds asset connection review, data masking, connection method control, and the full approval workflow across all ACL types.