Cockpit exposes deep system administration features and should be restricted like SSH admin access. By default, Cockpit uses system authentication (PAM) and inherits user permissions, making proper access control essential.
By default, any system user with a valid shell can access Cockpit. Restrict access to specific users or groups:
Option 1: Use a dedicated admin group
# Create a cockpit-admin group
sudo groupadd cockpit-admin
# Add authorized users
sudo usermod -aG cockpit-admin admin-user
# Configure PAM to restrict access
echo "auth required pam_listfile.so item=user sense=allow file=/etc/cockpit/admin-users.conf" | \
sudo tee -a /etc/pam.d/cockpit
Option 2: Disable password authentication
# Force key-based or SSO authentication only
sudo mkdir -p /etc/cockpit/disallowed-groups
Cockpit inherits PAM configuration, so MFA can be enabled system-wide:
# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator # Debian/Ubuntu
sudo dnf install google-authenticator # RHEL/Fedora
# Configure per-user and update /etc/pam.d/cockpit
auth required pam_google_authenticator.so
/etc/cockpit/cockpit.conf:[Session]
IdleTimeout=900 # 15 minutes in seconds
Cockpit supports TLS termination via systemd socket activation or a reverse proxy.
Option 1: Direct TLS (Cockpit 2.20+)
# Place certificate and key
sudo cp /etc/ssl/certs/cockpit.pem /etc/cockpit/ws-certs.d/
sudo cp /etc/ssl/private/cockpit.key /etc/cockpit/ws-certs.d/
sudo chmod 640 /etc/cockpit/ws-certs.d/*.key
Option 2: Reverse Proxy (Recommended for production)
# Nginx example
server {
listen 443 ssl;
server_name cockpit.example.com;
ssl_certificate /etc/ssl/certs/cockpit.crt;
ssl_certificate_key /etc/ssl/private/cockpit.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
location / {
proxy_pass http://localhost:9090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Firewall rules (firewalld):
# Allow only from trusted subnet
sudo firewall-cmd --permanent --add-service=cockpit
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" service name="cockpit" accept'
sudo firewall-cmd --reload
Firewall rules (ufw):
sudo ufw allow from 10.0.0.0/24 to any port 9090
sudo access unless necessary/etc/sudoers.d/ for granular sudo rules:# Allow specific commands without password
admin-user ALL=(ALL) NOPASSWD: /usr/sbin/reboot, /usr/bin/systemctl restart *
Edit /etc/cockpit/cockpit.conf to disable features you don’t need:
[WebService]
Origins = https://cockpit.example.com:443
[Accounts]
AllowRootLogin = false
# Enable automatic security updates (Debian/Ubuntu)
sudo apt install unattended-upgrades
# Or schedule regular updates via cron/ansible
Cockpit logs to the system journal:
# View Cockpit logs
journalctl -u cockpit -f
# Filter for authentication events
journalctl -u cockpit -t cockpit-session -f
Set up alerts for:
Example logwatch configuration:
# /etc/logwatch/conf/logfiles/cockpit.conf
LogFile = /var/log/cockpit/*.log
Forward Cockpit logs to your SIEM or logging infrastructure:
# Rsyslog example - forward to remote syslog
:programname, isequal, "cockpit" @syslog.example.com:514
Cockpit can use SSH keys for terminal access to other hosts:
# Ensure SSH agent forwarding is enabled
# User's ~/.ssh/authorized_keys must contain public keys
# Private keys should be stored in user's browser session
| Control | Status | Notes |
|---|---|---|
| TLS enabled with valid certificate | ☐ | Use Let’s Encrypt or internal CA |
| Access restricted to admin group | ☐ | Create cockpit-admin group |
| MFA enabled | ☐ | Via PAM integration |
| Firewall rules in place | ☐ | Restrict to management network |
| Session timeout configured | ☐ | 15 minutes recommended |
| Logging enabled and monitored | ☐ | Forward to SIEM |
| Regular patching schedule | ☐ | Include Cockpit package |
| Root login disabled | ☐ | Use sudo for privilege escalation |