Skip to content

🧭 Responsibility Disclaimer

NetAlertX provides powerful tools for network scanning, presence detection, and automation. However, it is up to youβ€”the deployerβ€”to ensure that your instance is properly secured.

This includes (but is not limited to): - Controlling who has access to the UI and API - Following network and container security best practices - Running NetAlertX only on networks where you have legal authorization - Keeping your deployment up to date with the latest patches

NetAlertX is not responsible for misuse, misconfiguration, or unsecure deployments. Always test and secure your setup before exposing it to the outside world.

πŸ” Securing Your NetAlertX Instance

NetAlertX is a powerful network scanning and automation framework. With that power comes responsibility. It is your responsibility to secure your deployment, especially if you're running it outside a trusted local environment.

⚠️ TL;DR – Key Security Recommendations

  • βœ… NEVER expose NetAlertX directly to the internet without protection
  • βœ… Use a VPN or Tailscale to access remotely
  • βœ… Enable password protection for the web UI
  • βœ… Harden your container environment (e.g., no unnecessary privileges)
  • βœ… Use firewalls and IP whitelisting
  • βœ… Keep the software updated
  • βœ… Limit the scope of plugins and API keys

πŸ”— Access Control with VPN (or Tailscale)

NetAlertX is designed to be run on private LANs, not the open internet.

Recommended: Use a VPN to access NetAlertX from remote locations.

βœ… Tailscale (Easy VPN Alternative)

Tailscale sets up a private mesh network between your devices. It's fast to configure and ideal for NetAlertX.
πŸ‘‰ Get started with Tailscale

πŸ”‘ Web UI Password Protection

By default, NetAlertX does not require login. Before exposing the UI in any way:

  1. Enable password protection: ini SETPWD_enable_password=true SETPWD_password=your_secure_password

  2. Passwords are stored as SHA256 hashes

  3. Default password (if not changed): 123456 β€” change it ASAP!

To disable authenticated login, set SETPWD_enable_password=false in app.conf

πŸ”₯ Additional Security Measures

  • Firewall / Network Rules
    Restrict UI/API access to trusted IPs only.

  • Limit Docker Capabilities
    Avoid --privileged. Use --cap-add=NET_RAW and others only if required by your scan method.

  • Keep NetAlertX Updated
    Regular updates contain bug fixes and security patches.

  • Plugin Permissions
    Disable unused plugins. Only install from trusted sources.

  • Use Read-Only API Keys
    When integrating NetAlertX with other tools, scope keys tightly.

🧱 Docker Hardening Tips

  • Use read-only mount options where possible (:ro)
  • Avoid running as root unless absolutely necessary
  • Consider using docker scan or other container image vulnerability scanners
  • Run with --network host only on trusted networks and only if needed for ARP-based scans

πŸ“£ Responsible Disclosure

If you discover a vulnerability or security concern, please report it privately to:

πŸ“§ jokob@duck.com

We take security seriously and will work to patch confirmed issues promptly. Your help in responsible disclosure is appreciated!

By following these recommendations, you can ensure your NetAlertX deployment is both powerful and secure.