Additional security measures for the MeshCentral component

[Byolock]

From my understanding the current security of the integrated MeshCentral2 component is based on a long random password generated in the setup routine and setting "maxInvalidLogin" inside the MeshCentral2 config.
I found out that MeshCentral by itself has multiple other options :

• OTP 2FA
• Yubikey 2FA
• PushAuth 2FA with Android App
• LoginKey 3FA (configures MeshCentral to only show the website if a secret key is passed in the url with "?key=secretkey"
• Separating Agent Port from Frontend Port and keeping Frontend internal.
• Crowdsec MeshCentral Bouncer

I wondered which of these could work (unsupported) with tacticalrmm. The LoginKey 3FA obviously needs changes in the source code, the login urls need to be changed to include the loginkey set in the meshcentral config.
The changes should be relatively small however, somewhere to configure a LoginKey within tactialrmm and then if present add this login key to the MeshCentral URLs. Should I open a Feature Request for this or is there no interest from the tacticalrmm team in implementing this?

Crowdsec Bouncer should work as it only redirects in case your IP has been banned.

Has anybody tested adding any 2FA authentication or separating agent and Frontend ports? I think the TacticalAgent Installation Routine requires access to the Frontend to download the meshagent?
Any other things you have done to limit MeshCentral Frontend accessibility?

[Byolock]

Got another Idea:
MeshCentral has this option:
skip2factor": { "type": "string", "description": "IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24" },

This should make it possible to enable 2fa and then enter the local IP range as an exclusion, TacticalRMM would still be able to connect as usual because this is internal traffic. Everybody on the WAN, even if he somehow got the password wouldn't be able to get in. I would still like the Login Key feature however, should distress many of the automated scans.

[silversword411]

TRMM is fundamentally built against the django framework. I believe trying to carve out custom security bypass use cases like this is would be breaking the framework, and would be done at the risk of system-wide security. If you can find django framework supported features like this please link them, and the devs can take a look https://www.djangoproject.com/

As there are a lot of security restrictions/enhancements that can be done outside of TRMM with firewalls etc I think devs are focused on "TRMM features" at this time

[Byolock]

carve out custom security bypass use cases like this is would be breaking the framework

Just to be sure : if you mean with "security bypass" the skip 2fa authentication feature mentioned in my own reply that is entirely on the MeshCentral2 side and should not need any configuration by TRMM. It would not Skip any 2FA configured within TRMM. I guess it could be that agent deployment would work only internally but everything else should work fine. Only I couldn't test this theory yet.

The LoginKey feature is again implemented already by MeshCentral2. TRMM would only need to know about the Login Key Value and add this to the Url when a user clicks "Take Control".

As there are a lot of security restrictions/enhancements that can be done outside of TRMM with firewalls etc

I did not found any which do increase security on the MeshCentral2 Dashboard (mesh.example.com). TRMM Agents and TRMM Admin Interface is fine, I did these and I am confident in these security enhancements. Firewall seems to be impossible to use here because everything works over the same port 443. If you know any enhancements for the integrated MeshCentral2 Dashbard specifically please let me know, I would really like to have another layer there.