Disabling remote SSH, OTA and public url locally

Hi, for a product we’re developing a requirement which has come up due to security and privacy concerns is to allow the device itself to disable remote access, updates and also the public URL.

For the public url unless directly configurable we could simply use iptables to block the balena VPN from accessing any of our containers.

For updates I suppose we could also use a lock file to prevent updates.

But when it comes to blocking remote access with SSH, is there any way to do this?

The idea is that the end user on e.g a configuration page will be able to toggle these features.

Or perhaps there is a way to simply make the device not contact Balena if the user chooses to do so?

Hello @Simontaga not sure if you solved this! Apologizes for the long delay answering this!

There is no way to disable SSH via the dashboard, API or supervisor. Check here what configurations are possible.

Could you please let us know more about your use case to need to block remote access with SSH and others?

Thanks

The use case is that if a device is shipped to a customer and the device is connected to sensitive equipment e.g PLCs and having the possibility of e.g a bad actor being able to access Balena Cloud and then being able to remotely access the device (and in turn being able to manipulate sensitive equipment) is a big concern for certain customers.

Simply pulling the plug won’t do since the device is supposed to make outbound connections for e.g uploading data.

Hello @Simontaga thanks for sharing your use case.

Did you try to disable the VPN for the device? The VPN is used for public URL and SSH / real-time updates, hostOS updates and more.

Having said that, a balenaCloud account that has access to devices shouldn’t be compromised. If that’s the case, you should contact with us.

Let us know if that solution works for you.

BTW how would you like to update the software running on your devices?

I have not attempted that as of yet, but that solution might just work for this use case. Looking into it it seems as if using the supervisor API we can toggle this locally and I think this will do, thanks!

As for updates our hope is that down the line Balena will support offline updates (with persistent data),
and as far as I know this feature is planned down the road but not in highly prioritised as of now.
I do understand that complete offline updates may not be a very common requirement.

We believe we are able to technically allow offline updates by roughly doing the following steps :

1. Pointing the supervisor to a self hosted API (on the device) and injecting self signed certificates (balenaRootCa)
2. Using balena-engine load images
3. Update target state and the device will use the manually loaded images.

Although we’re unsure if this could potentially cause conflict with the balena supervisor and or when OTA updates come into play in between of offline updates.

@Simontaga another solution shared by one of my colleagues is that you could try to stop the sshd service using dbus from the container entry script. I haven’t tested this myself yet.

Then you could control the start/stop of the service using an application variable from balenaCloud.

Does that makes sense to you?

That could also work, at least we have some options to try out. Thank you!