diff --git a/docs/docs/meshcentral/assistant.md b/docs/docs/meshcentral/assistant.md index 9c27b5ac..5da427ef 100644 --- a/docs/docs/meshcentral/assistant.md +++ b/docs/docs/meshcentral/assistant.md @@ -23,3 +23,9 @@ For web page customization: 3. That copy will be served instead of the default one, you can customize as you want. ![agent invite code](images/assistant_invitation_link.png) + +## Email notification + +You can also get an email notification when someone clicks the "Request Help" button in the Assistant agent. + +![](images/2022-09-06-16-38-57.png) diff --git a/docs/docs/meshcentral/codesigning.md b/docs/docs/meshcentral/codesigning.md index aeea42ef..8fd46f7b 100644 --- a/docs/docs/meshcentral/codesigning.md +++ b/docs/docs/meshcentral/codesigning.md @@ -80,4 +80,22 @@ If you want to self-sign the mesh agent so you can whitelist the software in you !!!note - If you generate your private key on windows with use `BEGIN PRIVATE KEY` and openssl needs `BEGIN RSA PRIVATE KEY` you can convert your private key to rsa private key using `openssl rsa -in server.key -out server_new.key` \ No newline at end of file + If you generate your private key on windows with use `BEGIN PRIVATE KEY` and openssl needs `BEGIN RSA PRIVATE KEY` you can convert your private key to rsa private key using `openssl rsa -in server.key -out server_new.key` + +## Setting Agent File info + +Now that MeshCentral customizes and signs the agent, you can set that value to anything you like. + +```json +"domains": { + "agentFileInfo": { + "filedescription": "sample_filedescription", + "fileversion": "0.1.2.3", + "internalname": "sample_internalname", + "legalcopyright": "sample_legalcopyright", + "originalfilename": "sample_originalfilename", + "productname": "sample_productname", + "productversion": "v0.1.2.3" + } +} +``` diff --git a/docs/docs/meshcentral/config.md b/docs/docs/meshcentral/config.md index 14d3e6ba..8c5f35e6 100644 --- a/docs/docs/meshcentral/config.md +++ b/docs/docs/meshcentral/config.md @@ -15,6 +15,7 @@ See description for information about each item. "type": "object", "properties": { "cert": { "type": "string", "description": "Set this to the primary DNS name of this MeshCentral server." }, + "keepCerts": { "type": "boolean", "default": false, "description": "Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value." }, "mongoDb": { "type": "string", "default": null }, "mongoDbName": { "type": "string" }, "mongoDbChangeStream": { "type": "boolean", "default": false }, @@ -88,9 +89,9 @@ See description for information about each item. "sessionTime": { "type": "integer", "default": 60, "description": "Duration of a session cookie in minutes. Changing this affects how often the session needs to be automatically refreshed." }, "sessionKey": { "type": "string", "default": null, "description": "Password used to encrypt the MeshCentral web session cookies. If null, a random one is generated each time the server starts." }, "sessionSameSite": { "type": "string", "default": "lax", "enum": ["strict", "lax", "none"] }, - "dbEncryptKey": { "type": "string" }, - "dbRecordsEncryptKey": { "type": "string", "default": null }, - "dbRecordsDecryptKey": { "type": "string", "default": null }, + "dbEncryptKey": { "type": "string", "default": null, "description": "This value is only valid when used with NeDB, sets the database encryption and decryption key." }, + "dbRecordsEncryptKey": { "type": "string", "default": null, "description": "With any database, encrypt and decrypt sensitive information within records using this secret key." }, + "dbRecordsDecryptKey": { "type": "string", "default": null, "description": "With any database, decrypt sensitive information within records using this secret key, don't use a key to encrypt records." }, "dbExpire": { "type": "object", "properties": { @@ -347,6 +348,7 @@ See description for information about each item. "loginPicture": { "type": "string", "default": null, "description": "Web site .png logo file placed in meshcentral-data that used on the login page when sitestyle is 2." }, "rootRedirect": { "type": "string", "default": null, "description": "Redirects HTTP root requests to this URL. When in use, direct users to /login to see the normal login page." }, "mobileSite": { "type": "boolean", "default": true, "description": "When set to false, this setting will disable the mobile site." }, + "maxDeviceView": { "type": "integer", "default": null, "description": "The maximum number of devices a user can see on the devices page at the same time. By default all devices will show, but this may need to be limited on servers with large number of devices." }, "unknownUserRootRedirect": { "type": "string", "default": null, "description": "Redirects HTTP root requests to this URL only where user is not already logged in. When in use, direct users to /login to see the normal login page." }, "nightMode": { "type": "integer", "default": 0, "description": "0 = User selects day/night mode, 1 = Always night mode, 2 = Always day mode" }, "userQuota": { "type": "integer" }, @@ -390,6 +392,39 @@ See description for information about each item. "expire": { "type": "number", "description": "When set, limits the self-created guest sharing link to this number of minutes." } } }, + "PreconfiguredScripts": { + "type": "array", + "default": null, + "description": "When set, your can try click the run button to run on of these scripts on the remote device.", + "items": { + "type": "object", + "required": [ "name", "type" ], + "properties": { + "name": { + "description": "Name of the script.", + "type": "string" + }, + "type": { + "description": "The type of script.", + "type": "string", + "enum": [ "bat", "ps1", "sh", "agent" ] + }, + "runas": { + "description": "How to run this script, does not appy to agent scripts.", + "type": "string", + "enum": ["agent", "userfirst", "user"] + }, + "cmd": { + "description": "The command or \\r\\n seperated commands to run, if set do not use the file key.", + "type": "string" + }, + "file": { + "description": "The script file path and name, if set do not use the cmd key. This file path starts in meshcentral-data.", + "type": "string" + } + } + } + }, "preConfiguredRemoteInput": { "type": "array", "default": null, @@ -523,6 +558,26 @@ See description for information about each item. "ldapUserPhoneNumber": { "type": "string", "default": "telephoneNumber", "description": "The LDAP value to use for the user's phone number." }, "ldapUserImage": { "type": "string", "default": "thumbnailPhoto", "description": "The LDAP value to use for the user's image." }, "ldapSaveUserToFile": { "type": "string", "default": null, "description": "When set to a filename, for example c:\\temp\\ldapusers.txt, MeshCentral will save the LDAP user object to this file each time a user logs in. This is used for debugging LDAP issues." }, + "ldapUserGroups": { "type": "string", "default": "memberOf", "description": "The LDAP value to use for the user's group memberships." }, + "ldapSyncWithUserGroups": { + "type": [ "boolean", "object" ], + "default": false, + "description": "When set to true or set to an object, MeshCentral will syncronized LDAP user memberships to MeshCentral user groups.", + "additionalProperties": false, + "properties": { + "filter": { + "type": [ "string", "array" ], + "default": null, + "description": "When set to a string or array of strings, only LDAP membership groups that includes one of the strings will be syncronized with MeshCentral user groups." + } + } + }, + "ldapSiteAdminGroups": { + "type": [ "string", "array" ], + "default": null, + "description": "When set to a list of LDAP groups, users that are part of one of these groups will be set a site administrator, otherwise site administrator rights will be removed." + }, + "ldapUserRequiredGroupMembership": { "type": [ "string", "array" ], "default": null, "description": "A list of LDAP groups. Users must be part of at least one of these groups to allow login. If null, all users are allowed to login." }, "ldapOptions": { "type": "object", "description": "LDAP options passed to ldapauth-fork" }, "agentInviteCodes": { "type": "boolean", "default": false, "description": "Enabled a feature where you can set one or more invitation codes in a device group. You can then give a invitation link to users who can use it to download the agent." }, "agentNoProxy": { "type": "boolean", "default": false, "description": "When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system" }, @@ -1167,7 +1222,22 @@ See description for information about each item. "tokenURL": { "type": "string", "format": "uri", "description": "If set, this will be used as the token URL. (If set authorizationURL and userInfoURL need set also)" }, "userInfoURL": { "type": "string", "format": "uri", "description": "If set, this will be used as the user info URL. (If set authorizationURL and tokenURL need set also)" }, "logouturl": { "type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link." }, - "newAccounts": { "type": "boolean", "default": true } + "newAccounts": { "type": "boolean", "default": true }, + "groups": { + "type": "object", + "properties": { + "required": { "type": [ "string", "array" ], "description": "When set, the user must be part of one of the OIDC user groups to login to MeshCentral." }, + "siteadmin": { "type": [ "string", "array" ], "description": "When set, users part of these groups will be promoted with site administrator in MeshCentral, users that are not part of these groups will be demoted." }, + "sync": { + "type": [ "boolean", "object" ], + "description": "Allows some or all ODIC user groups to be mirrored within MeshCentral as user groups.", + "properties": { + "enabled": { "type": "boolean", "default": false }, + "filter": { "type": [ "string", "array" ], "description": "When set, limits what OIDC groups are mirrored into MeshCentral user groups." } + } + } + } + } }, "required": [ "issuer", "clientid", "clientsecret", "callbackURL" ] } @@ -1267,6 +1337,14 @@ See description for information about each item. "from": { "type": "string" } }, "required": [ "provider", "apikey", "from" ] + }, + { + "type": "object", + "properties": { + "provider": { "type": "string", "enum": [ "url" ] }, + "url": { "type": "string", "description": "A http or https URL with {{phone}} and {{message}} in the string. These will be replaced with the URL encoded target phone number and message." } + }, + "required": [ "url" ] } ] } diff --git a/docs/docs/meshcentral/images/2022-09-06-16-38-57.png b/docs/docs/meshcentral/images/2022-09-06-16-38-57.png new file mode 100644 index 00000000..4befd73b Binary files /dev/null and b/docs/docs/meshcentral/images/2022-09-06-16-38-57.png differ diff --git a/docs/docs/meshcentral/images/rate_limiting_logins.png b/docs/docs/meshcentral/images/rate_limiting_logins.png new file mode 100644 index 00000000..26fe109d Binary files /dev/null and b/docs/docs/meshcentral/images/rate_limiting_logins.png differ diff --git a/docs/docs/meshcentral/index.md b/docs/docs/meshcentral/index.md index dd930db7..ba452430 100644 --- a/docs/docs/meshcentral/index.md +++ b/docs/docs/meshcentral/index.md @@ -52,10 +52,6 @@ This is because by default MeshCentral is using a self-signed certificate that i - Click on “Advanced”, “Proceed to (unsafe)” - To proceed on Internet Explorer 11, - -- Click “Continue to this website (not recommended)” - Note: You can also get to a device by specifying the device name in the URL by adding `?viewmode=10&gotodevicename=MyComputer` to the URL of the MeshCentral web page. The new `gotodevicename` will find a device with the specified name and navigate to that device’s page. This is perfect for integrating MeshCentral with other solutions but be aware that a computer name is not a unique identifier and so, `&gotonode=` is always the preferred way to access a device. This feature also works on the mobile web site. ### Create Account diff --git a/docs/docs/meshcentral/security.md b/docs/docs/meshcentral/security.md new file mode 100644 index 00000000..792ba481 --- /dev/null +++ b/docs/docs/meshcentral/security.md @@ -0,0 +1,19 @@ +# Security + +## Rate Limiting login attempts + +You can use the MeshCentral Server Console with the command `badlogins` to see the current settings. + +Adjust these items in your `config.json` + +```json +"settings": { + "_maxInvalidLogin": { + "time": 10, + "count": 10, + "coolofftime": 10 + }, +} +``` + +![](images/rate_limiting_logins.png) diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 7cf05b48..daa840e8 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -15,6 +15,7 @@ nav: - 'Debugging': 'meshcentral/debugging.md' - 'Device Tabs': 'meshcentral/devicetabs.md' - 'Plugins': 'meshcentral/plugins.md' + - 'Security': 'meshcentral/security.md' - 'Tokens': 'meshcentral/tokens.md' - Design and Architecture: