Fail2ban - reducing malicious attacks

[Paul Reed]

Is anyone using fail2ban to stop repeated attempts to login to node-red?

I've just installed it to help prevent anyone getting access to my Raspberry Pi.

As I understand, it monitors logfiles if repeated failed logins are present, and if so, blocks the connection for a predetermined time. Currently I have it monitoring the auth.log file for malicious SSH attempts, and it seems to work OK.

Has anyone extended it's config to monitor node-red?

Paul

[Ra Wa]

I suspect you would have to write a custom fail2ban filter for node red. Do you have examples of node-red log entries during failed login attempts?

If you don't really need to access your node-red from the entire internet then you can simply add static firewall rules to allow the addresses you use and deny everyone else.

Even simpler might be to change the listening port to a non-standard one (port 1880 is a defined service so is probably routinely scanned by shodan etc) its surprising how much this can reduce script-kiddie attacks.

For help in choosing an inconspicuous port look in /etc/services on your RPi and pick one thats not mentioned.

[Paul Reed]

- Do you have examples of node-red log entries during failed login attempts?

This appears to be the main hurdle, as node-red does not appear to record failed logins (when using httpAdminAuth).

I need to access node-red from outside my local network, but I'll take a look at changing the port number - not ideal, but would probably help.

Thanks

Paul

[Scott C. Lemon]

You are on the right track, and you can modify the code to output an error on a failed login.  There are numerous examples of how to do this - and fail2ban is a great idea to leverage this.

Here is an example for a short-term fix:  http://stackoverflow.com/questions/9690490/how-can-i-report-an-invalid-login-properly-with-express-and-passportjs

In addition I'll open an issue on the Github project to track this as it is good information to know!

[Nicholas O'Leary]

Scott, the existing code doesn't use passport, so the answers to that SO question doesn't help.

The quick fix, for the current release, is to add a suitable console.log here: https://github.com/node-red/node-red/blob/master/red.js#L127 where we test the username/password. (thats for the admin side, for the node side, its a few lines later).

As I've mentioned in previous mails, I'm currently overhauling the security of the admin side of things. I am including things like rate limiting failed attempts and will include better logging.

No need to raise an issue - this is what I'm working on right now.

Nick

--
http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aideen]

Hi Paul,

I agree with Ra Wa. You'll feel alot happier if the script kiddies can't get past your router/gateway.

If you'd like some configuration pointers - what router are you using?

Do you need access from a single static outside address or multiple/dynamic addresses?

You only need to setup access for ssh (everything else can be tunnelled through).
For Windows, PuTTY setup from the remote computer is easy once you've got some examples.

Aideen

[Paul Reed]

Nick, thanks for the update. I was thinking that it may be better to have one central application to manage malicious/suspicious activity (such as fail2ban) because virtually the whole system - apache, SSH, node-red etc could be protected, and with a degree of uniformity & consistency. 

If just node-red was protected against brute force attempts, a SSH highjack could potentially wipe out node-red or remove/change it's security settings.

However, if you are intending to add 'failed logins' to the log, I guess fail2ban would still be an alternative option for users.

Aideen, I've already tied down the router fairly tightly, but thanks for the pointers.

Paul

[Antoine Aflalo]

I would advise like Ra, change the port as a first mean to protect yourself.

By doing so you remove 90% of the attack since they are done by scripts/bots.

What you can also do: disable password for Node-RED and use nginx as reverse-proxy with support of htpasswd. You can then log the different failed attempt and use fail2ban to parse the nginx log.

--

http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Antoine Aflalo

[Paul Reed]

Thanks Antoine, I did follow Ra Wa's advice and changed the port number.

I guess I'm a little unsettled, because despite having the most boring blog site on the net, fail2ban recorded 3 separate SSH multiple login attempts in the first week that I installed it, which were successfully blocked - which got me thinking....

Paul

[Dave C-J]

I now tunnel via ssh (as Aideen suggested above) for anything admin related. For a while I was getting fairly regular serious attempts but for some reason they seem to have tailed off more recently. Either that or I am fully compromised and the bad guys I have are keeping other bad guys out... :-)

I did do some poking back the other way to see where they came from - mostly China, Eastern Europe in my case. (or at least their last hop was from servers there).

[Ra Wa]

For a giggle I recently run an ssh honeypot on a spare VPS : it took the bots less than 24 hours to start hitting it and I was getting hundreds of failed attempts each day.  In contrast the real sshd running on a non-standard port on the same host got no hits for the whole period.

See also my other post in this forum about running node-red behind nginx as another solution.

Port 1880 is listed as "Gilat VSAT Control" so the skiddies are probably hoping to own a satellite control system.