We are aware of ransomware attacks specifically targeting Jupyter servers.
First off: we have no evidence of a vulnerability in Jupyter associated with the attack. The attacks appear to focus on Jupyter servers with authentication disabled. That’s what this post is about: please don’t do that!
Jupyter servers are authenticated with a random token by default, so you should be fine with the defaults. That default random token is regenerated on each server launch. If that random token is inconvenient for you (there are plenty of situations where this is the case), the answer is not to disable auth! More on that below.
We wrote about this before, but it bears repeating:
- Jupyter exposes arbitrary code execution and a shell. If folks gain access, they can do anything you can do. You aren’t just protecting your notebooks, you are protecting your whole computer.
- People can find your notebook server if it’s accessible on the Internet. If they locate your server and it has auth disabled, that’s game over, and appears to be what happened in the above ransomware event. Jupyter’s popular enough (yay) that folks are always looking (boo).
- If the generated token pattern is inconvenient for how you work, you can set a persistent token or password in configuration instead of retrieving the generated token on each server launch. Save this token or password in your password manager for safe keeping, and accessing your server will be just as convenient as auth being disabled.
If you have an interactive prompt, you can run jupyter server password
$ jupyter server password
Enter password:🔐
Verify password:🔐
[JupyterPasswordApp] Wrote hashed password to ~/.jupyter/jupyter_server_config.json
which generates and stores config that looks like:
{
"ServerApp": {
"password": "argon2:$argon2id$v=19$m=10240,t=10,p=8$aFE/DuLj//6oGF2PHWy2DQ$eXHn6AbJe8Lryl4z9oGvMtZhX7iEdt41m+mhvyDvw88"
}
}This is a hashed, salted form of your password. We can’t get the password out of this, but we can use it to check if you typed it correctly on the login page. If an interactive prompt isn’t available to you (e.g. a cloud vm that starts the notebook server automatically), you can run this command on any machine, and copy the resulting config file to the destination machine as part of setup.
If it works better for you, you can also generate just the hashed password:
from jupyter_server.auth import passwd
hashed_password = passwd("my-great-passphrase") # just the "argon2:..."
and get that into your config files, as best suits your needs. For example, in ~/.jupyter/jupyter_server_config.py:
c.ServerApp.password = "argon2:..."
or the same config in ~/.jupyter/jupyter_server_config.json
{
"ServerApp": {
"password": "argon2:..."
}
}Read more details in our earlier post, and security documentation.
Please contact security@ipython.org if you have a vulnerability to report.
Please don’t disable authentication in Jupyter servers was originally published in Jupyter Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.