MobXcess: Secure Server Access from Mobile Devices

MobXcess: Secure Server Access from Mobile Devices

Purpose of MobXcess

Play this article

MobXcess facilitates executing predefined commands on a server via a REST API.

Frontend GitHub Repo

Backend GitHub Repo

Basic Idea of MobXcess

Executable commands are predefined on the server in a format (JSON in this case). These commands are parsed by the backend system and sent over to the client via a REST API. The client receives randomly unique IDs of the commands and requests execution of the commands by sending back the ID to the server. The server executed the command defined on its end and returns the result to the client. The communication between the client and server is encrypted using AES-256-GCM and optional SSL.

Inspiration for MobXcess

  1. While interning at an organization, all devs were signed off and in bed. Suddenly a service went down and its fix was a restart. However, no one had the willingness to boot their systems, SSH into the server, and restart the service. The overenergetic intern expressed willingness but was denied SSH access for reasons which are summarized below

    • An intern cannot be trusted with production server access credentials

    • Providing SSH credentials with restricted and limited access is an option but managing and administering such keys at an organizational level is a challenge that needs dedicated resources

    • Even with restricted and limited access to a terminal, security risks exist and it's not feasible to manage credentials with extreme precision

Tasks to be performed here: Restart

  1. While interning at an organization as a backend intern working with NodeJS, a push made to the staging branch was auto-deployed. Logs are a necessity when testing. The server hosted other crucial services due to which SSH access to the server was denied. For logs, I hit an API and texted the server admin for logs who had to SSH into the server and share a screenshot of the logs over Slack. This was inconvenient as sometimes I had to wait for long durations for the logs while my PM called me multiple times.

    Tasks to be performed here: Logs Monitoring

Use cases of MobXcess

  1. Since MobXcess has commands predefined, no action except them can be performed by the user. Thus the risk of user mishaps in sensitive environments is eliminated

  2. Logs Monitoring & Service Restarts as elaborated in the above cases

  3. If a user should only have access to a very specific command or sequence of commands

  4. A provision for GUI-oriented, less Linux-savvy users as expressed by a Redditor

  5. Users away from shell environments like sysadmins on vacation can utilize MobXcess for routine health checks and monitoring

  6. If a mobile device with SSH provision is compromised, the french pack might be deleted (rm -fr /) but on MobXcess it isn't that easy

How is it different from SSH?

Consider SSH as a sword and MobXcess as a knife and the use cases mentioned above as apples. Surely you can cut an apple with a sword but a knife might be better suited.

While SSH can be used for the mentioned use cases, from my experience it wasn't feasible.

It all depends on the use cases that exist, MobXcess doesn't aim to be an SSH replacement, it aims to offer a convenience factor to certain use cases.

Taking to Production

MobXcess is not yet production ready. The following aspects are needed before considering MobXcess for production:

  • Code Audit to verify code quality and security practices

  • Security Testing on the overall system

Do contribute to these aspects by following the contribution guidelines.

Contact

I'm looking for some opinions on it from senior folks. Being a college student my thought process isn't on par with how things work at the enterprise level so I want to understand more about it. Anyone up for it or someone with whom I connect you can recommend would be great. Contact me at [email protected]

Did you find this article valuable?

Support Wilfred Almeida by becoming a sponsor. Any amount is appreciated!