[Security] Frigate Script Security Improvement

[rustikles]

New install with default settings of Frigate I was trying out today. Install worked great, until I started getting confused about the port the script links to when it completes IP:5000. That URL allowed access under an "anonymous" account to all frigate settings and config.

Per Frigate docs, port 5000 is intended for "internal unauthenticated UI and API access. Intended to be used with the docker network...". Obviously not ideal to have a free access session to all the camera feeds to the network.

IP:8971 directed me to the proper login page for Frigate, but there doesn't appear to be a way to kill the port 5000 unauthenticated access within Frigate. I've considered just turning on UFW default deny all and only allowing 8971 and 1984 (go2rtc session). Thoughts on that solution or something better to go in the existing script?

[newzealandpaul]

Yes I think it does indeed need a UFW rule to deny 5000, although I don't know if this has any implications.

Can anyone else chime in about a access issue blocking port 5000?

Realistically I don't think this should be exposed to the internet regardless.

[remz1337]

UFW is a good solution. The thing is, I would probably want to make it optional, as the authentication service provided by frigate is very minimal in terms of feature. Users need to be managed manually, which for me is a deal breaker. Could be a prompt at the end of the install script : "Would you like to block anonymous access to Frigate?" and if the user says yes, then config UFW

Nonetheless, the message at the end of the installation should mention the authenticated port (8971)

[newzealandpaul]

@remz1337 I don't use Frigate but I wondered about that, yes an option would be better.

[rustikles]

Agreed on all counts. You shouldn't have either port exposed to the internet. I think the thing that jumped out to me reading Frigate docs was port 5000 seemed to be a "this is a docker-specific internal use option".

Since we're building with LXC directly instead of docker (correct me if I'm wrong here), we're kind of breaking that assumption Frigate makes about how it's being run and should probably handle things accordingly. I just started testing today, but even their default "recommended" install with docker-compose has port 5000 commented out. https://docs.frigate.video/frigate/installation/

I'd assume we should shoot for something as close to the intended default install conditions as possible (i.e. defaulting to the secure connection, deny port 5000 use unless specifically required with manual intervention).

[Mellowlynx]

Are we sure, is not needed at all?
"Port 5000 is intended for internal unauthenticated UI and API access", so blocking the port in the LXC will also block API from accessing it.

If it's obsolete, we can take a look of blocking it.
As I don't use Frigate, I can't check or test this.

[rustikles]

I wouldn't say obsolete, since I've seen references to applications that need an unathenticated API link to work (home assistant most used I'd say). My point was more we might want to default safe by blocking port 5000 unless user input says they need it. Similar to changing that commented out entry on the default docker-compose example.

For the record, I'm also not a long-time Frigate user. Just testing it to try and finally replace my one Windows VM running BlueIris.

[remz1337]

Indeed, if you completely block port 5000, integrations such has HomeAssistant won't work anymore. It would need a special firewall rule to allow only the HomeAssistant IP to access Frigate on port 5000

[jubjubrsx]

get on the frigate github page and talk to blakeshear about it, he's very responsive.

Seems like it would be a good idea to ask him to put in an option to allow anonymous logins.

might not be the best option but I just setup it up in NPM for frigate.domain.com to route to the login page port. so you'd have to be internal to even get to the 5000 page.