Skip to content

Security precautions

Jump to bottom Edit New page
Jesse Chan edited this page Nov 19, 2020 · 15 revisions

Flood usually has wide-ranging privileges to files.

  • NEVER run Flood with root or users with NOPASSWD sudo privilege.
  • Deny Flood write access and ownership to Flood's own files. Flood only needs to have r/w access to its runtime directory (--rundir) and download destinations.
  • Use --allowedpath to specify paths allowed for file operations.
  • Prohibit PHP or other dynamic pages from executing inside Flood directory (if static assets are served directly via web server).
  • Use SSL to defeat on-path attackers. Your password is in cleartext during authentication. If you don't use SSL, makes sure that the connection path is not vulnerable to eavesdropping. Plus, don't (re)use your favorite password(s).
  • While maintainers of Flood will try their best to make sure the built-in authentication system of Flood is secure, in high-stake environments, it is recommended to use HTTP Basic Auth or other battle-hardened authentication methods instead of Flood's in-house one. You can use disableUsersAndAuth to avoid duplicate authentication.
  • Avoid exposing Flood to Internet unless you are sure that you got security right.

rTorrent's script and command interface ALLOWS arbitrary code execution. IT IS NOT PROTECTED.

  • NEVER run rTorrent with root or users with NOPASSWD sudo privilege.
  • NEVER expose rTorrent's SCGI interface to Internet (or even local network).
  • Avoid using SCGI host:port mode of rTorrent. It may allow local privilege escalation (to rTorrent's account) as ports can be still accessed by any local program even if you use 127.0.0.1 as listening host.
  • Use SCGI socket mode of rTorrent. Only allows Flood to access the socket. execute.nothrow = chmod,770,(cat,/path/to/rtorrent.sock)

Containers

  • Container technologies can reduce attack surface and restrict scope of access. However, you should still pay attention to security. Intruders do NOT need to break out of container (or even get root access) to initiate cryptomining, spam email sending or using the compromised instance as proxy to attack your internal network.

IF an attacker controls your Flood instance, they may:

  • Create a cronjob in /etc/cron.d that spawns a shell.
  • Add any ssh key to /home/$USER/.ssh/authorized_keys and login over SSH.
  • Overwrite /home/$USER/.bashrc to execute commands on the next login of the user.
  • Overwrite code of Flood itself which will execute the next time it is restarted.
  • Overwrite rTorrent's configuration (.rtorrent.rc) to expose SCGI interface to Internet.

IF an attacker has access to rTorrent's SCGI interface, they may:

  • TL;DR: It is worse than SSH/RD login to rTorrent's account.
  • rTorrent's SCGI interface IS a SHELL. APIs like execute.nothrow = allow a user to execute ANYTHING at rTorrent's privilege.
  • Scheduling interfaces of rTorrent allow cron-like scheduling. It can allow persistent hard-to-detect backdoors.
  • rTorrent itself has capability to download files. Attackers don't need to use utilities like curl or wget to download external malicious executables.
Add a custom footer
Add a custom sidebar

Clone this wiki locally