diff --git a/content/issues/2024-10-06-securing-kasm.md b/content/issues/2024-10-06-securing-kasm.md new file mode 100644 index 00000000..8122bdbb --- /dev/null +++ b/content/issues/2024-10-06-securing-kasm.md @@ -0,0 +1,70 @@ +--- +title: 'PSA: Securing KasmVNC-Based Containers' +date: '2024-10-06 21:00:00Z' +informational: true +affected: + - 'kasmvnc' +section: 'issue' +--- + +Due to a recent increase in reported issues with users exposing their KasmVNC-based containers to the internet without authentication, we have prepared the following PSA: + +By default containers using our KasmVNC baseimage have no authentication and the optional environment variables `CUSTOM_USER` and `PASSWORD` to enable basic http auth via the embedded NGINX server should only be used to secure the container from unwanted access on a local network. If you are exposing one of these containers to the Internet we recommend putting it behind a reverse proxy, such as [SWAG](https://github.com/linuxserver/docker-swag), and ensuring a secure authentication solution is in place. From the web interface a terminal can be launched and it is configured for passwordless sudo, so anyone with access to it can install and run whatever they want along with probing your local network. + +At time of publication, the list of containers using a KasmVNC baseimage is: + +* altus +* ardour +* audacity +* bambustudio +* blender +* boinc +* calibre +* calligra +* chromium +* cura +* darktable +* digikam +* doublecommander +* ferdium +* filezilla +* firefox +* freecad +* freetube +* gimp +* github-desktop +* gitqlient +* inkscape +* kali-linux +* kdenlive +* keepassxc +* kicad +* krita +* libreoffice +* librewolf +* lollypop +* mediaelch +* msedge +* mullvad-browser +* mysql-workbench +* obsidian +* opera +* orcaslicer +* pidgin +* qdirstat +* rawtherapee +* remmina +* rustdesk +* series-troxide +* shotcut +* spotube +* sqlitebrowser +* steamos +* ungoogled-chromium +* vscodium +* webcord +* webtop +* wireshark +* wps-office +* yaak +* zotero