How do you secure jupyterq?
What is best practice?
By default the notebook server only listens on localhost and so only local clients will have access to the notebooks, and remote clients will not be able to connect. Token authentication is enabled and a token is generated and logged in the terminal everytime the notebook server is started which can be copied/pasted into the browser. This provides a layer of authentication from other users on the server.
You can set a hashed password for the notebook server using the command jupyter notebook password which will prompt you for a password and save a hashed version in your configuration file. Alternatively you can create your own hash your own password in python and set the c.NotebookApp.password field in the configuration file to this. Details about this can be found here.
In order to change the configuration settings, you have to have a jupyter_notebook_config.py file in your Jupyter folder, which is located at ~/.jupyter in your home directory. To generate a configuration file with all the default settings commented out you can use the command jupyter notebook --generate-config, or you can manually create one but the former is easier. I would also suggest double checking that the permissions on the configuration file suit your use so that only allowed users can read the file (and therefore the password).
The biggest security issues lie in allowing outside access to the notebooks. Firstly, this is because you do not want the hashed password for the notebook to be sent unencrpyted. At the minimum you should be using SSL for encrypted communication between the client and the notebook server to counter this. Additionally, since notebooks are built for arbitrary code execution they provide opportunities for malicious behaviour than regular files. These range from simply having access to your “private” work and taking advantage of your computing resource to purposefully overloading your system. Enabing SSL is very simple as https://letsencrypt.org/ provide free certificates. Instructions for enabling SSL can be found here.
If you want to set your notebook up publically, then the c.NotebookApp.allow_origin and c.NotebookApp.ip fields in the configuration file will need to be modified. Referring to this post, if the notebook is hosted on a cloud server then it has potential to be accessed by other local users on the server, who can guess the port it is on. The notebook should be treated as publically viewable on a cloud server and so authentication is imperative.
JupyterHub may also be of interest to you and I would recommend checking it out.
It turns jupyter from a one-user application into an application with proper support for multi-users and includes plugins for popular authentication methods such as OAuth and Kerberos on top of HTTPS communication, which is a prerequisite to use it.
Hope this helps,
Mark Kelly
AquaQ Analytics
On Thursday, 7 June 2018 20:26:17 UTC+1, MLabs wrote:
How do you secure jupyterq?
What is best practice?
How do you stop someone from accessing the file system by opening terminal, instead of creating a notebook? Or “!ls” command.