ilia/nanobot
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
nanobot/SECURITY_CONFIGURATION.md
tanyar09 9c9c4e3ebf Add security configuration documentation 
- Comprehensive security configuration guide for nanobot
- Production deployment security checklist
- Channel access control configuration
- API key and credential management
- Workspace and file system security settings
2026-03-03 13:13:42 -05:00

291 lines
6.2 KiB
Markdown
Raw Blame History

# Nanobot Security Configuration Guide
This guide provides step-by-step instructions for securing your nanobot installation.
## Quick Security Setup
### 1. Secure Configuration File
```bash
# Set proper permissions on config file
chmod 600 ~/.nanobot/config.json
# Set proper permissions on nanobot directory
chmod 700 ~/.nanobot
```
### 2. Configure Channel Access Control
**CRITICAL**: Empty `allowFrom` lists allow ALL users. Always configure this in production!
#### Telegram Example
```json
{
"channels": {
"telegram": {
"enabled": true,
"token": "YOUR_BOT_TOKEN",
"allowFrom": ["123456789", "987654321"]
}
}
}
```
To find your Telegram user ID:
1. Message `@userinfobot` on Telegram
2. Copy your user ID
3. Add it to the `allowFrom` list
#### WhatsApp Example
```json
{
"channels": {
"whatsapp": {
"enabled": true,
"allowFrom": ["+1234567890", "+0987654321"]
}
}
}
```
Use full phone numbers with country code (e.g., `+1` for US).
#### Email Example
```json
{
"channels": {
"email": {
"enabled": true,
"allowFrom": ["user@example.com", "admin@example.com"]
}
}
}
```
### 3. Enable Workspace Restrictions
Restrict file operations to a specific directory:
```json
{
"agents": {
"defaults": {
"restrictToWorkspace": true
}
}
}
```
This ensures nanobot can only access files within `~/.nanobot/workspace`.
### 4. Run as Non-Root User
**NEVER run nanobot as root!**
```bash
# Create dedicated user
sudo useradd -m -s /bin/bash nanobot
# Switch to nanobot user
sudo -u nanobot bash
# Run nanobot
python3 -m nanobot.cli.commands agent -m "hello"
```
### 5. Configure Command Timeouts
Limit command execution time:
```json
{
"agents": {
"defaults": {
"execConfig": {
"timeout": 30
}
}
}
}
```
Default is 60 seconds. Reduce for stricter security.
## Advanced Security Configuration
### 1. Custom Command Blocking
You can add custom blocked command patterns by modifying the ExecTool initialization, but this requires code changes. The default patterns block:
- `rm -rf`, `rm -r`, `rm -f`
- `format`, `mkfs.*`
- `dd if=`
- `shutdown`, `reboot`, `poweroff`
- Fork bombs
### 2. Network Security
#### Restrict Outbound Connections
Use a firewall to restrict what nanobot can access:
```bash
# Example: Only allow HTTPS to specific domains
sudo ufw allow out 443/tcp
sudo ufw deny out 80/tcp # Block HTTP
```
#### WhatsApp Bridge Security
The WhatsApp bridge binds to `127.0.0.1:3001` (localhost only) by default. For additional security:
```json
{
"channels": {
"whatsapp": {
"enabled": true,
"bridgeToken": "your-secret-token-here"
}
}
}
```
Set a `bridgeToken` to enable shared-secret authentication between Python and Node.js components.
### 3. Log Monitoring
Set up log monitoring to detect security issues:
```bash
# Monitor access denials
tail -f ~/.nanobot/logs/nanobot.log | grep "Access denied"
# Monitor blocked commands
tail -f ~/.nanobot/logs/nanobot.log | grep "blocked by safety guard"
# Monitor all tool executions
tail -f ~/.nanobot/logs/nanobot.log | grep "ExecTool:"
```
### 4. Regular Security Audits
#### Check Dependencies
```bash
# Python dependencies
pip install pip-audit
pip-audit
# Node.js dependencies (for WhatsApp bridge)
cd bridge
npm audit
npm audit fix
```
#### Review Logs
```bash
# Check for suspicious activity
grep -i "error\|denied\|blocked" ~/.nanobot/logs/nanobot.log | tail -100
# Check file operations
grep "write_file\|edit_file" ~/.nanobot/logs/nanobot.log | tail -100
```
### 5. API Key Rotation
Rotate API keys regularly:
1. Generate new API keys from your provider
2. Update `~/.nanobot/config.json`
3. Restart nanobot
4. Revoke old keys after confirming new ones work
### 6. Environment Isolation
Run nanobot in a container or VM for better isolation:
```bash
# Using Docker (if Dockerfile exists)
docker build -t nanobot .
docker run --rm -it \
-v ~/.nanobot:/root/.nanobot \
-v ~/.nanobot/workspace:/root/.nanobot/workspace \
nanobot
```
## Security Checklist
Before deploying nanobot in production:
- [ ] Config file permissions set to `0600`
- [ ] Nanobot directory permissions set to `700`
- [ ] All channels have `allowFrom` lists configured
- [ ] Running as non-root user
- [ ] `restrictToWorkspace` enabled
- [ ] Command timeout configured
- [ ] API keys stored securely (not in code)
- [ ] Logs monitored for security events
- [ ] Dependencies updated and audited
- [ ] Firewall rules configured (if needed)
- [ ] Backup and disaster recovery plan in place
## What Nanobot Cannot Do (Built-in Protections)
Nanobot has built-in protections that prevent:
1. **Destructive Commands**: `rm -rf /`, `format`, `mkfs`, `dd`, `shutdown`, etc.
2. **Path Traversal**: `../` and `..\\` are blocked when workspace restrictions are enabled
3. **System File Access**: When restricted, cannot access files outside workspace
4. **Unlimited Execution**: Commands timeout after configured limit (default 60s)
5. **Unlimited Output**: Command output truncated at 10KB
6. **Unauthorized Access**: Channels check `allowFrom` lists before processing messages
## Incident Response
If you suspect a security breach:
1. **Immediately revoke compromised API keys**
```bash
# Update config.json with new keys
nano ~/.nanobot/config.json
```
2. **Review logs for unauthorized access**
```bash
grep "Access denied" ~/.nanobot/logs/nanobot.log
```
3. **Check for unexpected file modifications**
```bash
find ~/.nanobot/workspace -type f -mtime -1 -ls
```
4. **Rotate all credentials**
- Update API keys
- Update channel tokens
- Update bridge tokens (if using WhatsApp)
5. **Update to latest version**
```bash
pip install --upgrade nanobot-ai
```
6. **Report the incident**
- Email: xubinrencs@gmail.com
- Include: Description, steps to reproduce, potential impact
## Additional Resources
- [SECURITY.md](SECURITY.md) - Full security policy and best practices
- [SETUP_GUIDE.md](SETUP_GUIDE.md) - Setup and configuration guide
- [README.md](README.md) - General documentation
## Questions?
If you have security concerns or questions:
- Review [SECURITY.md](SECURITY.md)
- Check nanobot logs for errors
- Contact maintainers: xubinrencs@gmail.com
Reference in New Issue View Git Blame Copy Permalink