Node Red a target for attack?

[Giles Roadnight]

Hi All

I've spent the last few days trying to figure out why my Pi 3 running Node-Red kept dying after as little as 20 minutes.

Initially I suspected a memory leak and started removing nodes that I had recently installed but it turns out all I had to do was to to turn off port forwarding to it.

I was forwarding port 1880 and 22 to the pi so that I could access a webpage away from home. It seems that having port 1880 open to the world causes node cpu to jump to 100% after not very long.

Is this normal?

This is on a home connection and the pi currently controls my hue lights. Being able to turn them off when away from home was good. If I can't have the page open that's annoying.

It seems to kill the pi when I have it open. The pi becomes unresponsive to anything and I can't ssh. I can use the terminal with a keyboard and mouse though. 

Turning off port forwarding the pi is still unresponsive and needs restarting.

Thanks.

[Nicholas O'Leary]

I wouldn't say that Node-RED itself is a target, but port 1880 may well be - especially as it responds to http traffic, so would soon get found by anything scanning for things to access.

Opening any port to the internet comes with a risk. You could try running NR on a different port in the higher range (-p option on the command-line, or see the settings file) and see how you get on.

An alternative would be not to allow incoming connections to your pi and have it only connect out to a 3rd party service, such as a hosted MQTT service, to mediate the communication. Not a drop-in replacement for being able to access web-pages served by your Pi, but an approach to consider.

Nick

--
http://nodered.org
 
Join us on Slack to continue the conversation: http://nodered.org/slack
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
To post to this group, send email to node...@googlegroups.com.
Visit this group at https://groups.google.com/group/node-red.
For more options, visit https://groups.google.com/d/optout.

[Walter Kraembring]

To access my home network, I always use a VPN connection. Using a VPN client (OpenVPN) in my tablet and I have a dedicated RPi running the VPN server @ home (also OpenVPN) gives secure access and you do not need to do port forwarding

[Mark Setrem]

If you just want to turn lights off, why not set up a private Twitter account?
You can then send it a message to turn the lights off.

If you have left a RaspberryPi attached to the Internet whilst using port 22 for ssh, unless you have been taking addition precautions such as password authentication off and fail2ban etc It might be worth thinking about cut and pasting your flows onto a PC/Mac and reformatting the pi's SD card and starting again to be on the safe side.

[Giles Roadnight]

Thanks but I am pretty sure that my password is strong enough and looking at the auth logs it doesn't seem that any attempts were made to access the user that I use.

I use it for lights at the moment but want to use it for more. I also want to get info from the house - the temperature of the bedroom, who is at home, what lights are on ect.

--
http://nodered.org

Join us on Slack to continue the conversation: http://nodered.org/slack
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.

To post to this group, send an email to node...@googlegroups.com.

[Chris Jefferies]

I use dedicated firewall software called pfSense.  With that, like Walter Kraembring, I have configured a VPN connection between my phone, my laptop, and my home system.  It feel pretty solid.

I've also seen an application at https://ngrok.com/ that seems reasonable.

Good luck,
Chris.

[Colin Law]

On 15 May 2016 at 09:41, Giles Roadnight <gi...@roadnight.name> wrote:
> Thanks but I am pretty sure that my password is strong enough and looking at
> the auth logs it doesn't seem that any attempts were made to access the user
> that I use.

Just opening the port in the router can't make a difference to the pi
unless it is receiving requests from something. You said that the CPU
load jumps after 'not very long'. Watch the loading and note exactly
what time it jumps up, then have a look in the various logs and see if
anything happened at that time.

If you run top when it is loaded, which process is hogging the cpu?

Colin

[Giles Roadnight]

node is hogging the cpu. I am planning on creating a little node app that just logs the requests so I can see what requests are coming in and from where.

[Colin Law]

On 15 May 2016 at 10:04, Giles Roadnight <gi...@roadnight.name> wrote:
> node is hogging the cpu. I am planning on creating a little node app that
> just logs the requests so I can see what requests are coming in and from
> where.

The top answer to this should allow you to do that
http://superuser.com/questions/604998/monitor-tcp-traffic-on-specific-port

You will need to
sudo apt-get install tcpdump
first, probably.

Colin

[Giles Roadnight]

Thanks

[Dave C-J]

Also run    free -h   in order to check amount of free memory around that time.

[Julian Knight]

I've not been able to make NR on its own max out the Pi's memory though if you didn't put in the recommended garbage collector parameter when starting the server, it is possible. I have however maxed it out when working with databases on the same device. In the past, I've also noticed serious issues when using PM2 to try and keep things running so if you are using that, you might want to try to use systemd instead.

In terms of security, I've mentioned this a number of times before. You shouldn't connect ANYTHING to the Internet without some additional protection, especially when using the interface to control things in your house.

In general, even a brand new IP address with open ports, especially well known ones like 80 and 22 will be probed within 30sec. Automated hacking attempts on port 22 will start within a few minutes normally. I never leave port 22 open, use port address translation (PAT) to move the port some some high number (if you need access from work locations, you might be limited as to what ports are available via your organisations proxy).

At the least, you should set up the IPTABLES firewall on the Pi along with the application "fail2ban" which will mitigate against people/bots doing probing attacks.

I suggest moving away from the default NR port as well. In fact, the best approach is to use a reverse proxy such as NGINX in reverse proxy mode. Coupled with Phusion Passenger and NGINX certificate based security, you can set up secured access and make sure that, if NR does crash, Passenger will restart it. I have to say though that I've not tried to do all of that from a single Pi. You could, however, set up a second Pi to act as a proxy/firewall device. You can also then add login security to prevent anyone from getting access. However, make sure you only do that along with TLS (certificate based) security - e.g. HTTPS - otherwise you are just sending your login details in plain text over the Internet.

Please take it from me that the Internet is NOT a benign environment. The levels of automatic probing are enormous and constant.

[Giles Roadnight]

Thanks for that, some useful advice.

How easy is it to use node-red over https then?

--

http://nodered.org
 
Join us on Slack to continue the conversation: http://nodered.org/slack
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.

To post to this group, send email to node...@googlegroups.com.

[Julian Knight]

Well it is a little involved. :-} But not that bad. First you need to decide what kind of certificate to use.

One signed by a public certificate authority (CA) is best since the browsers won't keep reminding you  that it isn't valid! However, just get going, you can easily create a self-signed certificate then replace that with a public one when you have the basics right. The cheapest publicly signed certs are free and available from either StartSSL or Let's Encrypt. StartSSL lasts 12m but you have to update it manually. LE has scripts for auto-update if you can work out how to use them and you do really need the auto-script as the LE certs only last a short while - 3months I think. If you want something clever like a single cert to cover multiple domains, StartSSL have 2 or 3 year certs from around US$60.

Next, follow the https configuration here: http://nodered.org/docs/configuration. Or some more details here: http://industrialinternet.co.uk/node-red/adding-https-ssl-to-node-red.

Basically, you need 2 files that make up your certificate and you need to make them available to NR's Express server.