Security - awiones/RemotelyPy GitHub Wiki
Security Guide
Encryption & Communication
SSL/TLS Configuration
-
Certificate Setup
# Generate strong SSL certificate openssl req -x509 -newkey rsa:4096 \ -keyout key.pem \ -out cert.pem \ -days 365 \ -nodes \ -subj "/C=US/ST=State/L=City/O=Organization/CN=remotelypy.example.com" # Set proper permissions chmod 600 key.pem chmod 644 cert.pem -
Security Parameters
- Minimum TLS version: 1.2
- Strong cipher suites
- Perfect Forward Secrecy (PFS)
- Certificate validation enabled
Network Security
Firewall Configuration
-
UFW (Uncomplicated Firewall):
# Allow only specific IPs sudo ufw allow from trusted_ip to any port 5555 # Or restrict to VPN network sudo ufw allow in on tun0 to any port 5555 -
iptables:
# Allow specific subnet iptables -A INPUT -p tcp -s 10.0.0.0/24 --dport 5555 -j ACCEPT # Drop other connections iptables -A INPUT -p tcp --dport 5555 -j DROP
Port Security
- Use non-standard ports
- Implement rate limiting
- Monitor connection attempts
- Block repeated failed attempts
Authentication & Authorization
Client Authentication
# Configuration example
auth_config = {
"token_expiry": 3600, # 1 hour
"max_attempts": 3,
"lockout_period": 300, # 5 minutes
"require_2fa": True
}
Permission Levels
-
Read-only
- System information
- Status monitoring
- Log viewing
-
Standard
- Command execution
- File transfers
- Shell access
-
Administrative
- Client management
- Configuration changes
- Security settings
Secure Configuration
File Permissions
# Set ownership and permissions
sudo chown -R remotelypy:remotelypy /etc/remotelypy
sudo chmod 750 /etc/remotelypy
sudo chmod 640 /etc/remotelypy/config.yaml
sudo chmod 600 /etc/remotelypy/ssl/*
Secure Defaults
# Example secure configuration
security:
ssl:
enabled: true
min_tls_version: "1.2"
verify_certs: true
cert_path: "/etc/remotelypy/ssl/cert.pem"
key_path: "/etc/remotelypy/ssl/key.pem"
authentication:
require_token: true
token_rotation: true
rotation_interval: 86400 # 24 hours
logging:
audit_enabled: true
log_level: "INFO"
max_log_size: 10485760 # 10MB
backup_count: 5
Logging & Monitoring
Audit Trail
- Command execution history
- Connection attempts
- Configuration changes
- Security events
Log Format
{
"timestamp": "2023-12-01T12:00:00Z",
"event": "command_execution",
"client_id": "client123",
"command": "ls -la",
"user": "operator",
"source_ip": "10.0.0.100",
"status": "success"
}
Monitoring Setup
# Log monitoring
sudo tail -f /var/log/remotelypy/audit.log | grep -i "security"
# Set up alerts
sudo logwatch --service remotelypy --range today --detail high
# Monitor connections
watch -n1 "netstat -ant | grep ':5555'"
Incident Response
Security Checklist
-
Immediate Actions
- Suspend compromised clients
- Rotate security tokens
- Block suspicious IPs
- Preserve logs and evidence
-
Investigation
- Review audit logs
- Analyze network traffic
- Check file integrity
- Document findings
-
Recovery
- Update security configurations
- Patch vulnerabilities
- Reset credentials
- Restore from clean backups
Emergency Commands
# Suspend all connections
sudo python main.py controller --emergency-shutdown
# Block all incoming connections
sudo ufw deny 5555
# Rotate all security tokens
sudo python main.py controller --rotate-tokens
# Generate incident report
sudo python main.py audit --generate-report
Best Practices
Regular Maintenance
-
Updates and Patches
# Update RemotelyPy git pull origin main pip install --upgrade -r requirements.txt # Restart services sudo systemctl restart remotelypy-controller -
Security Audits
- Weekly log review
- Monthly configuration review
- Quarterly penetration testing
- Annual security assessment
Backup Strategy
# Backup configuration
sudo tar -czf remotelypy-config-$(date +%Y%m%d).tar.gz /etc/remotelypy
# Backup SSL certificates
sudo cp -r /etc/remotelypy/ssl /etc/remotelypy/ssl.backup
# Backup logs
sudo rsync -av /var/log/remotelypy/ /backup/logs/