Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: Monitor.io – remote monitoring and debugging for socket.io (drewblaisdell.github.io)
51 points by drewblaisdell on Oct 27, 2014 | hide | past | favorite | 14 comments


No auth? And it's over telnet so any auth will still be transmitted in plaintext. What next, it will ship with hard coded "admin" "password" for auth?

This is exactly why the version of devops where developers with no sysadmin/server management/etc experience try to manage servers scares the shit out of me.


There are numerous ways to ensure this isn't accessible via an external source. Indeed, even if it did come with username/password authentication, or 2-factor authentication, it still would be an exploit waiting to happen if exposed.

You shouldn't be putting these things out on the open web in the first place.

So "No auth" isn't a bad thing, as there are better tools to ensure authorization is done before ever getting access.

Edit: should to shouldn't


This could be secured with a private network and a firewall. It would be nice if the readme mentioned the security vulnerability this exposes, and maybe a suggestion on how to secure the telnet port. I am sure that someone is going to install this without thinking to secure the telnet port.


Spoiler alert: Your "private" network isn't.


This seems like something that shouldn't be listening on 0.0.0.0, so no auth wouldn't be absolutely terrible.

But everyone knows that someone will use this on a production server with unsafe settings, especially if it doesn't restrict access by default.


This could be fairly secure with an IP whitelist on the port using something like IPTABLES, right?

Of course, you don't want it on your mission-critical production machine, but then that's not really what it's for.


I just started playing with this library, and then I had the same realization. I scanned through the readme for any mention of authentication and then put the brakes on.


This seems like very useful debugging information.

But, what about security? Can anybody who discovers the port telnet in?


Great point. I am working on adding an option for requiring a username/password to make this safe for production. It should be pushed in the next couple days.


If you make it listen on 127.0.0.1 only, you'll only be able to connect to it from a shell on the local machine, which will alleviate all of your security issues.


Good idea—I just pushed an update with this functionality.


I pushed an update with "localOnly" mode, which prevents all connections from non-localhost IPs.

monitor.io could potentially be used in production now if you telnet in from a shell on the local machine.


This looks very useful, thanks, and thanks again for making it open source and free.

Have you run some tests to measure (degradation of) performance?


Show HN: RemoteBackdoor.io -- remote monitoring and "debugging" for anything.

http://i.imgur.com/2tjbLx1.gif




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: