## 🧭 Responsibility Disclaimer NetAlertX provides powerful tools for network scanning, presence detection, and automation. However, **it is up to youβ€”the deployerβ€”to ensure that your instance is properly secured**. This includes (but is not limited to): - Controlling who has access to the UI and API - Following network and container security best practices - Running NetAlertX only on networks where you have legal authorization - Keeping your deployment up to date with the latest patches > NetAlertX is not responsible for misuse, misconfiguration, or unsecure deployments. Always test and secure your setup before exposing it to the outside world. # πŸ” Securing Your NetAlertX Instance NetAlertX is a powerful network scanning and automation framework. With that power comes responsibility. **It is your responsibility to secure your deployment**, especially if you're running it outside a trusted local environment. --- ## ⚠️ TL;DR – Key Security Recommendations - βœ… **NEVER expose NetAlertX directly to the internet without protection** - βœ… Use a **VPN or Tailscale** to access remotely - βœ… Enable **password protection** for the web UI - βœ… Harden your container environment (e.g., no unnecessary privileges) - βœ… Use **firewalls and IP whitelisting** - βœ… Keep the software **updated** - βœ… Limit the scope of **plugins and API keys** --- ## πŸ”— Access Control with VPN (or Tailscale) NetAlertX is designed to be run on **private LANs**, not the open internet. **Recommended**: Use a VPN to access NetAlertX from remote locations. ### βœ… Tailscale (Easy VPN Alternative) Tailscale sets up a private mesh network between your devices. It's fast to configure and ideal for NetAlertX. πŸ‘‰ [Get started with Tailscale](https://tailscale.com/) --- ## πŸ”‘ Web UI Password Protection By default, NetAlertX does **not** require login. Before exposing the UI in any way: 1. Enable password protection: ```ini SETPWD_enable_password=true SETPWD_password=your_secure_password ``` 2. Passwords are stored as SHA256 hashes 3. Default password (if not changed): 123456 β€” change it ASAP! > To disable authenticated login, set `SETPWD_enable_password=false` in `app.conf` --- ## πŸ”₯ Additional Security Measures - **Firewall / Network Rules** Restrict UI/API access to trusted IPs only. - **Limit Docker Capabilities** Avoid `--privileged`. Use `--cap-add=NET_RAW` and others **only if required** by your scan method. - **Keep NetAlertX Updated** Regular updates contain bug fixes and security patches. - **Plugin Permissions** Disable unused plugins. Only install from trusted sources. - **Use Read-Only API Keys** When integrating NetAlertX with other tools, scope keys tightly. --- ## 🧱 Docker Hardening Tips - Use `read-only` mount options where possible (`:ro`) - Avoid running as `root` unless absolutely necessary - Consider using `docker scan` or other container image vulnerability scanners - Run with `--network host` **only on trusted networks** and only if needed for ARP-based scans --- ## πŸ“£ Responsible Disclosure If you discover a vulnerability or security concern, please report it **privately** to: πŸ“§ [jokob@duck.com](mailto:jokob@duck.com?subject=NetAlertX%20Security%20Disclosure) We take security seriously and will work to patch confirmed issues promptly. Your help in responsible disclosure is appreciated! --- By following these recommendations, you can ensure your NetAlertX deployment is both powerful **and** secure.