Authenticate, monitor and control your swarm of Folding@home clients remotely
*fah-node architecture diagram*
fah-node
makes it possible to securely monitor and control swarms of
Folding@home clients remotely, no matter where they are on the Internet. A node
can be used by more than one user at a time. Multiple nodes are used to
distribute the network load.
F@H clients can be configured to connect to and attempt to register with a node. Authorized users can approve nodes via their Folding@home account. Once approved, nodes will automatically appear on your account screen.
The following commands will build and install fah-node on Debian based Linux systems.
sudo apt-get update
sudo apt-get install -y scons build-essential libssl-dev binutils-dev \
libleveldb-dev libsnappy-dev git nodejs npm bind9-dnsutils ssl-cert
mkdir build
cd build
git clone https://github.com/cauldrondevelopmentllc/cbang
git clone https://github.com/foldingathome/fah-node
export CBANG_HOME=$PWD/cbang
scons -C cbang
scons -C fah-node
scons -C fah-node package
sudo dpkg -i fah-node/fah-node_$(cat fah-node/version.txt)_amd64.deb
sudo fah-node-ports
sudo apt-get install -y iptables-persistent
Add the node's domain name to /etc/fah-node/config.xml
.
<domains>node.example.com</domains>
Follow these steps to configure OAuth2 logins for your node:
- Go to https://console.developers.google.com/apis/dashboard
- Login to your Google account
- Create a new project
- Configure the OAuth consent screen
- Click on
Credentials
thenCREATE CREDENTIALS
- Select
OAuth client ID
- Select
Application type
:Web application
- Give your OAuth application a name
- Add the
Authorized JavaScript origin
:https://node.example.com
- Add the
Authorized redirect URI
:https://node.example.com/login
- Click the
CREATE
button - Note the
Client ID
andClient secret
.
Note, Google tends to change the interface fairly often so you may have to adjust the above described process.
Add the following to your config.xml
:
<google-client-id>YOUR_CLIENT_ID</google-client-id>
<google-client-secret>YOUR_CLIENT_SECRET</google-client-secret>
<google-redirect-base>https://node.example.com</google-redirect-base>
Add one or more email addresses which will have admin access to your node:
<admins>admin@gmail.com</admins>
Note, admin email addresses must match the OAuth login.
Your /etc/fah-node/config.xml
should look something like this:
<config>
<admins>admin@gmail.com</admins>
<domains>node.example.com</domains>
<google-client-id>YOUR_CLIENT_ID</google-client-id>
<google-client-secret>YOUR_CLIENT_SECRET</google-client-secret>
<google-redirect-base>https://node.example.com</google-redirect-base>
</config>
As root, edit /etc/security/limits.conf
. Add the following:
# For F@H AS
* soft nofile 10240
* hard nofile 10240
root soft nofile 10240
root hard nofile 10240
Logout and back in for new limits to take effect.
Start the node with:
sudo systemctl start fah-node
Monitor the log file:
sudo tail -F -n 1000 /var/log/fah-node/log.txt
To login, visit your node's web page. E.g. https://node.example.com/. Then click on the protein icon to login. If everything is setup correctly, you should reach the admin web page.
fah-node makes it possible to control many folding clients remotely, so security
is of the utmost importance. To ensure that only authorized persons can access
the clients in your swarm, fah-node
has several layers of security.
The first line of defense is to limit what actions can be performed on the
remote clients in your swarm. Authorized users can perform only the following
actions on clients in the swarm via a fah-node
:
- Start and stop folding.
- Change the client's user, project or resource usage settings.
- View the client's log or protein snapshots.
To prevent unauthorized clients from joining your swarm, each client must be configured with a swarm token. A swarm token is a time-limited small file that contains secret information which can only be obtained via your Folding@home login. The token allows one or more more clients to request to join your swarm. These clients will appear on your account, at which point you can approve or disapprove their membership in the swarm.
Since the clients in your swarm can exist anywhere on the Internet, it is possible they could be compromised through some other route. For this reason, swarm members are only able to report their status. In the worst case, a compromised client could report false information about itself.
Even if the machine a fah-node
runs on was compromised or it is run by
someone you do not trust, your swarm is still protected. The token used
to authenticate your clients with the swarm sets up a secure communication
channel that ensures the node itself cannot tamper with or eavesdrop on the
communication between your F@H account and your swarm. The worst a hostile
fah-node
could do is deny remote access to your swarm.
Your F@H account is secured via the OAuth2 protocol. This the industry standard security protocol for "federated logins". It allows you to login to your F@H account using an account with Google or other OAuth2 provider.
However, anyone who gains access to your OAuth2 account will have the ability to control your swarm. If this occurs, they will be able to perform the limited actions described above. If you believe your account has been compromised, you can disassociate all your swarm clients and/or close your Folding@home account.
Each of the following communication channels in the swarm are encrypted using the HTTPS protocol:
- Browser <-> F@H account
- F@H account <-> fah-node
- F@H client <-> fah-node
HTTPS is the protocol used by banks and shopping sites to secure the Internet.
In addition, communication from your browser to your swarm clients via the
fah-node
is double encrypted using RSA and AES. This prevents the
fah-node
itself from being able to control or monitor your swarm.