Hey this looks like a fun thing to play with, I like what you've done.
I logged in and accessed it. Now that it's been some time since you
announced it and it's still running, I guess it has had some testing
already.
I don't see anything wrong with what you have done after a quick look,
it seems like you took some steps to secure it.
If you care about security you want to think about defense in depth.
Even if there don't appear to be ways for arbitrary filesystem or
network access to happen, you have to consider the effect of bugs in
your program and bugs in python itself.
To protect against unwanted filesystem access, I suggest:
* use a vm without anything else important on it
* consider filesystem quotas
* lock down the user as much as possible. Consider e.g. apparmor or
selinux. Maybe consider containerization/capabilities inside the VM
To protect against unwanted network access:
* prevent all outgoing network connections from the VM using
iptables/nftables (or whitelist any that are necessary)
* again consider networking restrictions using apparmor or selinux.
What level of protection is necessary will depend on the severity of
impact in the case it gets hacked, and also your own level of
conscientiousness.
Also consider putting in some monitoring; monitor network bandwith and
CPU usage at least (perhaps # of logins as well) and set up an alert if
those go outside limits, so you get timely notification if something
should happen.
Have fun,
Alex
P.S. this brings to mind
https://en.wikipedia.org/wiki/Russell_Coker#SELinux_Play_Machine, which
is no longer operating.
When you say "expose it to the internet via SSH", do you mean expose it
to everyone (e.g. by publishing the pssword), or will there still be
some restrictions on who can access it? If the former, you should be
able to set up ssh without any password required.
On 16/02/24 21:36, Ralph Aichinger wrote:
Hello fellow Debianites!
I want do do a custom CLI for a project, and I am quite happy with the
Python cmd module. Aside from having a practically un-googleable name
it is very nice, and does a lot with very little code. So far, so good.
But:
If I write a Python script with this module, and expose it to the
internet via SSH, will hell break loose? So far I've done the
following:
1. Put my script in /usr/local/bin/turtle (the canonical example in the
docs is something with turtle), you can see the sourcecode of my script
here:
https://pi.h5.or.at/mockturtle.txt
This script does absolutely nothing sensible, you can try it out
by doing a
ssh -l admin probe.aisg.at
from a IPv6 capable host (sorry, no IPv4). The password is "admin".
Any and all suggestions on stuff that is stupid and crazy from a
security standpoint in this script are very much appreciated!
2. Then I put /usr/local/bin/turtle in /etc/shells
3. I added a user "admin" that has /usr/local/bin/turtle as shell
4. I added following stanza to /etc/ssh/sshd_config
Match User admin
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/local/bin/turtle
5. In the script I tried to catch the Ctrl-C signal, so the interpreter
does not give out too obvious error messages (that show what is going
on behind the scenes).
Is this enough to harden this setup against escaping into a shell
or the full python interpreter, to do something nasty? Or is it
completely crazy, because theere is some way to abuse a setup like
this, that I have not found yet?
TIA
Ralph
