New security threat affecting node-RED (does not by default effect emonPi)

(Paul Reed) #1

A number of node-RED users have succumbed to a new virus, which gains root access via node-RED, and then installs cryptocurrency miner, plus whatever scripts/software that the virus is programmed to install.

It’s important that if anyone is exposing node-RED to the internet, that the adminAuth is set as per the node-RED guide. This will prevent rogue code accessing the adminAPI, and gaining root access, to add and run rogue code.

Hopefully, most savvy users will have already done this anyway :wink:


(SolarMill) #2

That’s a long guide. What specifically needs to be done to prevent unauthorized access? Is it more complicated than changing the default admin password?

(Paul Reed) #3

It’s simply ensuring that you have set an Admin password (adminAuth) set in settings.js, and preferably NOT the default username/password pre-installed by the emoncms imagefiile.

All of the reports so far relate to users who have not setup adminAuth at all, leaving their system exposed to the web (and there are lots & lots!!).

A bit like leaving your front door open when you go out…

If you want a checklist to harden node-RED further, these notes should help.


(Paul Reed) #6

(Trystan Lea) #7

8 posts were split to a new topic: NodeRED security offtopic - to be deleted

(Trystan Lea) #8

For all interested, there’s another thread here about NodeRed on the EmonPi relating to this security issue: node-RED virus >> emoncms image file

To summarise:

(Celso Henriques) #9

Thank you for that.

  • “users chooses to open their nodered system to the internet” : what do you mean with that? Its opening port 80?
    Doing a factory reset should make me “peace of mind” or should i be worried? Because i was messing with node-red a year ago and don’t remember what I did.

(Paul Reed) #10

Have you configured node-RED so that you can access the editor or dashboard from outside your private network - so that you can see them when you are away from home?
This usually means opening up port 1880.

If not, then it’s not a problem. node-RED cannot be reached from outside your private network, and can’t be exploited.

If you have, then you need to change your adminAuth username/password in node-RED’s settings.js file.

There are a number of online tools such as to help you see which ports you are exposing.


(Celso Henriques) #11

Thank you! I need to double check but from what I remember and what I could see now, i didn’t open any ports, so I can sleep well.
Thank you!