Security - awiones/RemotelyPy GitHub Wiki

Security Guide

Encryption & Communication

SSL/TLS Configuration

  1. Certificate Setup

    # Generate strong SSL certificate
    openssl req -x509 -newkey rsa:4096 \
        -keyout key.pem \
        -out cert.pem \
        -days 365 \
        -nodes \
        -subj "/C=US/ST=State/L=City/O=Organization/CN=remotelypy.example.com"
    
    # Set proper permissions
    chmod 600 key.pem
    chmod 644 cert.pem
    
  2. Security Parameters

    • Minimum TLS version: 1.2
    • Strong cipher suites
    • Perfect Forward Secrecy (PFS)
    • Certificate validation enabled

Network Security

Firewall Configuration

  1. UFW (Uncomplicated Firewall):

    # Allow only specific IPs
    sudo ufw allow from trusted_ip to any port 5555
    
    # Or restrict to VPN network
    sudo ufw allow in on tun0 to any port 5555
    
  2. iptables:

    # Allow specific subnet
    iptables -A INPUT -p tcp -s 10.0.0.0/24 --dport 5555 -j ACCEPT
    
    # Drop other connections
    iptables -A INPUT -p tcp --dport 5555 -j DROP
    

Port Security

  • Use non-standard ports
  • Implement rate limiting
  • Monitor connection attempts
  • Block repeated failed attempts

Authentication & Authorization

Client Authentication

# Configuration example
auth_config = {
    "token_expiry": 3600,  # 1 hour
    "max_attempts": 3,
    "lockout_period": 300,  # 5 minutes
    "require_2fa": True
}

Permission Levels

  1. Read-only

    • System information
    • Status monitoring
    • Log viewing
  2. Standard

    • Command execution
    • File transfers
    • Shell access
  3. Administrative

    • Client management
    • Configuration changes
    • Security settings

Secure Configuration

File Permissions

# Set ownership and permissions
sudo chown -R remotelypy:remotelypy /etc/remotelypy
sudo chmod 750 /etc/remotelypy
sudo chmod 640 /etc/remotelypy/config.yaml
sudo chmod 600 /etc/remotelypy/ssl/*

Secure Defaults

# Example secure configuration
security:
  ssl:
    enabled: true
    min_tls_version: "1.2"
    verify_certs: true
    cert_path: "/etc/remotelypy/ssl/cert.pem"
    key_path: "/etc/remotelypy/ssl/key.pem"

  authentication:
    require_token: true
    token_rotation: true
    rotation_interval: 86400 # 24 hours

  logging:
    audit_enabled: true
    log_level: "INFO"
    max_log_size: 10485760 # 10MB
    backup_count: 5

Logging & Monitoring

Audit Trail

  • Command execution history
  • Connection attempts
  • Configuration changes
  • Security events

Log Format

{
  "timestamp": "2023-12-01T12:00:00Z",
  "event": "command_execution",
  "client_id": "client123",
  "command": "ls -la",
  "user": "operator",
  "source_ip": "10.0.0.100",
  "status": "success"
}

Monitoring Setup

# Log monitoring
sudo tail -f /var/log/remotelypy/audit.log | grep -i "security"

# Set up alerts
sudo logwatch --service remotelypy --range today --detail high

# Monitor connections
watch -n1 "netstat -ant | grep ':5555'"

Incident Response

Security Checklist

  1. Immediate Actions

    • Suspend compromised clients
    • Rotate security tokens
    • Block suspicious IPs
    • Preserve logs and evidence
  2. Investigation

    • Review audit logs
    • Analyze network traffic
    • Check file integrity
    • Document findings
  3. Recovery

    • Update security configurations
    • Patch vulnerabilities
    • Reset credentials
    • Restore from clean backups

Emergency Commands

# Suspend all connections
sudo python main.py controller --emergency-shutdown

# Block all incoming connections
sudo ufw deny 5555

# Rotate all security tokens
sudo python main.py controller --rotate-tokens

# Generate incident report
sudo python main.py audit --generate-report

Best Practices

Regular Maintenance

  1. Updates and Patches

    # Update RemotelyPy
    git pull origin main
    pip install --upgrade -r requirements.txt
    
    # Restart services
    sudo systemctl restart remotelypy-controller
    
  2. Security Audits

    • Weekly log review
    • Monthly configuration review
    • Quarterly penetration testing
    • Annual security assessment

Backup Strategy

# Backup configuration
sudo tar -czf remotelypy-config-$(date +%Y%m%d).tar.gz /etc/remotelypy

# Backup SSL certificates
sudo cp -r /etc/remotelypy/ssl /etc/remotelypy/ssl.backup

# Backup logs
sudo rsync -av /var/log/remotelypy/ /backup/logs/

Additional Resources