Protect Services

Once a balenaOS device is booted, I press ALT+F2 to see the login prompt, input root to login.

Once logged in, I execute balena ps to get the list of running services, and then execute balena exec -it <service id> sh to dig into the shell prompt of any container.
Not good for security! :slight_smile:

How can we prevent this?

Is there anyway to disable tty consoles? tty1~tty6?

Otherwise, can we setup a new password of root user?

I was using development image…
Production image doesn’t have this isuse.


Hi there – thanks for your question. If I understand you correctly, you are using a development version of balenaOS. As you’ve found, this allows easy access to the device through passwordless login and other means. This is by design: the use case for the development version of balenaOS is quick prototyping in a trusted network (such as a your home LAN) during development or troubleshooting. This makes development easy, but of course (as you’ve found) it also makes the device less secure.

We do not recommend that you use the development version of balenaOS for production devices; instead, we strongly recommend the use of the production version of balenaOS. The production version of balenaOS does not have these methods of logging in enabled. The full set of differences is outlined here, but the short version is:

  • Production images do not allow password-less root access
  • SSH keys must be added to the device to allow direct SSH access
  • Virtual consoles are disabled

More detail can be found at that link; I would also recommend reading our page on the security of balena devices.d

You can, of course, skip using the development version of balenaOS during the prototyping phase if that suits your needs better; it may make development a bit slower, but it’s perfectly possible.

I hope this helps. Please let us know if you have any other questions.

All the best,

1 Like