search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.08k stars 549 forks source link

Meshagent IP address change alert/block #6111

Open HuFlungDu opened 4 months ago

HuFlungDu commented 4 months ago

The documentation for the Meshcentral Design Architecture mentions a possible attack regarding cloning a Meshcentral agent:

"A possible attack would occur if someone were to be able to access the agent root certificate. They could impersonate the agent to the server. Agents don’t have any rights to perform management operations on the server or other agents, but by impersonating a agent, a rogue agent would pretend to be an office computer to which administrator would login with their username & password, especially when the root is not hardened"

While this is a very specific attack, and for the most part would not allow for any additional privileges, one such attack could occur in the case where a user has cloned an agent, and then their rights on that machine have been revoked. In this case, they could set up a clone at their physical location and perform the stated attack.

I think a way to help this would be to notify a user if the device to which they are attempting to connect has changed its IP address since they last connected.

Alternatively, an option could be added that if the agent is connecting from a different IP address than it has in the past, either a device or group administrator needs to approve it before the agent is trusted again.

si458 commented 4 months ago

Ur suggestion wouldn't work in theory

For example, I have meshagent installed on my laptop, I use it at home. Put it to sleep, go to work, turn it on in work, I've got a different ip address

I would have to approve/accept every single day

Also what about remote devices who have say PIA/VPN installed? Again my laptop for example I use it at home, 1 ip address I then vpn into work for stuff, I have a different ip address.

HuFlungDu commented 4 months ago

In that specific case it would not be a good idea, but if it's a config option on an instance used to control static devices it would be fine, and if it's set default off it won't hurt people using it normally. It's conceptually similar to just auto-populating the "agentAllowedIP" option and applying it per agent.

silversword411 commented 4 months ago

For the average install this is a non-starter because of the false positives it'll create.

If you're working in a controlled environment it could be a useful option flag to add for monitoring.