Open HuFlungDu opened 4 months ago
Ur suggestion wouldn't work in theory
For example, I have meshagent installed on my laptop, I use it at home. Put it to sleep, go to work, turn it on in work, I've got a different ip address
I would have to approve/accept every single day
Also what about remote devices who have say PIA/VPN installed? Again my laptop for example I use it at home, 1 ip address I then vpn into work for stuff, I have a different ip address.
In that specific case it would not be a good idea, but if it's a config option on an instance used to control static devices it would be fine, and if it's set default off it won't hurt people using it normally. It's conceptually similar to just auto-populating the "agentAllowedIP" option and applying it per agent.
For the average install this is a non-starter because of the false positives it'll create.
If you're working in a controlled environment it could be a useful option flag to add for monitoring.
The documentation for the Meshcentral Design Architecture mentions a possible attack regarding cloning a Meshcentral agent:
"A possible attack would occur if someone were to be able to access the agent root certificate. They could impersonate the agent to the server. Agents don’t have any rights to perform management operations on the server or other agents, but by impersonating a agent, a rogue agent would pretend to be an office computer to which administrator would login with their username & password, especially when the root is not hardened"
While this is a very specific attack, and for the most part would not allow for any additional privileges, one such attack could occur in the case where a user has cloned an agent, and then their rights on that machine have been revoked. In this case, they could set up a clone at their physical location and perform the stated attack.
I think a way to help this would be to notify a user if the device to which they are attempting to connect has changed its IP address since they last connected.
Alternatively, an option could be added that if the agent is connecting from a different IP address than it has in the past, either a device or group administrator needs to approve it before the agent is trusted again.