问题
Is there any existing technique or npm package that can prevent all outgoing requests from a NodeJS server, allowing only responses to incoming requests? This could prevent phone-home type attacks in deep dependencies missed in security audits.
回答1:
A firewall.
That's truly the only way. Remember though that there is nothing stopping some code from accepting commands from clients connecting to it.
回答2:
Have a look at
- http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
- https://superuser.com/questions/95963/lightweight-solution-to-block-outbound-connections-from-a-specific-app
The first link shows a firewall rule bound to a particular user. Easy and simple. Why use another npm module with deep dependencies you don't want to trust ;-)
回答3:
If you're looking for pure node.js solution, you can do something like that.
Using some module like mockery you can limit what calls your javascript module can do to node.js core. For example, if you override require('net').connect, it'll make harder for malicious code to execute something.
I don't know of any existing solutions, but it's definitely possible, and I'd really like to see one.
That said, the generic approaches to this problem are completely outside of node.js scope:
- firewall
- apparmor
来源:https://stackoverflow.com/questions/22026824/prevent-all-outgoing-requests-from-nodejs-server