Community
OpenEnergyMonitor

Community

September 18: security threat affecting node-RED (does not by default effect emonPi)


(Paul Reed) #1

A number of node-RED users have succumbed to a new virus, which gains root access via node-RED, and then installs cryptocurrency miner, plus whatever scripts/software that the virus is programmed to install.

It’s important that if anyone is exposing node-RED to the internet, that the adminAuth is set as per the node-RED guide. This will prevent rogue code accessing the adminAPI, and gaining root access, to add and run rogue code.

Hopefully, most savvy users will have already done this anyway :wink:

Paul


(SolarMill) #2

That’s a long guide. What specifically needs to be done to prevent unauthorized access? Is it more complicated than changing the default admin password?


(Paul Reed) #3

It’s simply ensuring that you have set an Admin password (adminAuth) set in settings.js, and preferably NOT the default username/password pre-installed by the emoncms imagefiile.

All of the reports so far relate to users who have not setup adminAuth at all, leaving their system exposed to the web (and there are lots & lots!!).

A bit like leaving your front door open when you go out…

If you want a checklist to harden node-RED further, these notes should help.

Paul


(Paul Reed) #6

(Trystan Lea) #7

8 posts were split to a new topic: NodeRED security offtopic - to be deleted


(Trystan Lea) #8

For all interested, there’s another thread here about NodeRed on the EmonPi relating to this security issue: node-RED virus >> emoncms image file

To summarise:


(Celso Henriques) #9

Thank you for that.

  • “users chooses to open their nodered system to the internet” : what do you mean with that? Its opening port 80?
    Doing a factory reset should make me “peace of mind” or should i be worried? Because i was messing with node-red a year ago and don’t remember what I did.

(Paul Reed) #10

Have you configured node-RED so that you can access the editor or dashboard from outside your private network - so that you can see them when you are away from home?
This usually means opening up port 1880.

If not, then it’s not a problem. node-RED cannot be reached from outside your private network, and can’t be exploited.

If you have, then you need to change your adminAuth username/password in node-RED’s settings.js file.

There are a number of online tools such as http://www.canyouseeme.org/ to help you see which ports you are exposing.

Paul


(Celso Henriques) #11

Thank you! I need to double check but from what I remember and what I could see now, i didn’t open any ports, so I can sleep well.
Thank you!


(Neil Hastings) #12

Please forgive me if I’m breaking any rules or conventions… I’m new :slight_smile:

There is an excellent tutorial created by Richard Wenner in which he explains very clearly how to setup a secure node red installation on a Raspberry Pi.

I also have a written set of innstructions of Richard’s excellent video tutorial. I will gladly share this if someone can help me understand how to share a document. Or, should I just paste it here?

Thanks


(Robert Wall) #13

That is the best way.

There’s no recognised place for information of that sort - that’s not to say that there shouldn’t be, and maybe this is something that ought to be considered. Any thoughts @glyn.hudson, @TrystanLea?


(Neil Hastings) #14

Here’s a set of instructions that can be used in conjunction with Richard Wenner’s tutorial:

How to Prepare and Secure Raspberry Pi for Node-Red

Richard Wenner Youtube: https://www.youtube.com/watch?v=z9a_ztJqaII

Install SD card image and configure RPI for headless operation. (Raspberry Pi configuration is probably not required with a functioning emonPi SD Image)

sudo raspi-config

Change RPi password
Change host name from raspberrypi to your hostname
Set boot to command line
Set localization options
Enable SSH
Expand file system
Exit and reboot

Update operating system
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get dist upgrade

Check node-red version
node -v

Install node packet manager and update node-red

bash <(curl -sL https://raw.githubusercontent.com/node-red/raspbian-deb-package/master/resources/update-nodejs-and-nodered)

Check error log
cat /var/log/nodered-install.log

Check node-red version
node -v

Check npm packet manager version
npm -v

Install ’n’ utility to check the latest version of node-red and upgrade for us
sudo npm install -g n

Upgrade to very latest version of node red
sudo n latest

Reboot
sudo shutdown -r now

Check node-red version
node -v

Check npm packet manager version
npm -v

Start node-red (hit ctrl-c to get the prompt, node-red will continue to run)
node-red-start
ctrl-c

Note the error with the serial port. This is well known and easy to fix
cd ~/.node-red
ls -la
node-red-stop
sudo npm rebuild

Start node-red - Confirm the error has beed fixed
node-red-start
ctrl-c

Could stop here but need to add an encrypted password and use https
First we need to stop node-red completely and reboot…
sudo systemctl disable nodered.service
node-red-stop
sudo shutdown -r 0

First, switch to https

Generate https self-certified certificate
cd ./node-red
ls -la

Check that we have these packages:
.config.json
package.json
settings.js

Generate a private key
openssl genrsa -out privatekey.pem 1024
openssl req -new -key privatekey.pem -out private-csr.pem

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: New-Jersey
Locality Name (eg, city) []: (leave blank)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (leave blank)
Organizational Unit Name (eg, section) []: (leave blank)
Common Name (e.g. server FQDN or YOUR name) []: (enter the RPi IP address)
Email Address []: (enter your email address)
A challenge password []:Email Address []: (leave blank)
An optional company name []: (leave blank)

The prompt returns…

Signature confirmation
ls -la

Should now see:
privatekey.pem
certificate.pem

Edit settings.js
nano settings.js
Uncomment this line…
//var fs = require(“fs”);

Uncomment this section:
//https: {
** // key: fs.readFileSync(‘privatekey.pem’),**
** // cert: fs.readFileSync(‘certificate.pem’)**
** //},**

And change to:
https: {
** key: fs.readFileSync(’/home/pi/.node-red/privatekey.pem’),**
** cert: fs.readFileSync(’/home/pi/.node-red/certificate.pem’)**
** },**

Uncomment this section:
//adminAuth: {
// type: “credentials”,
// users: [{
// username: “admin”,
// password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcx$
// permissions: “*”
// }]
//},

Save and Exit

Note: To set a root password enter: sudo passwd root enter the password twice.

Need to encode the node-red password and need to install some encryption software. This is done with node-red

su
Password: (enter your password)
npm node-install -g node-red-admin
exit
Password: (enter password) (this is the password you will use to access node-red, your’s will be different)

$2a$08$LAD8pMesZ6f5akNxgXbOvO/KK400WRaa2J/DqnoV4JTrn4sJd1h62

Copy the password.

Re-open the settings.js file
Locate the adminAuth section and paste the copied password over the existing password

adminAuth: {
type: “credentials”,
users: [{
username: “admin”,
password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV$
permissions: “*”
}]
},

Save and exit

Start node-red
node-red-start
ctrl-c

Go to your browser and enter:
https://(your raspberry pi IP address):1880
Make sure to trust your self-signed certificate (it’s safe to do this as you created the certificate. normally you would not accept certificates from unknown sources)

Enter: admin (for username, or whatever you like)
Enter your node-red password that you set above)
You will now see the node-red gui

Enable auto-start for node-red service on boot
sudo systemctl enable nodered.service

Now add some nodes that will be needed.

From the Manage Pallet Menu in Node-Red search for:

node-red-dashboard and install the nodes (Graphical GUI nodes)

Now make a backup of the Raspberry Pi SD Card image


Upgrading NodeRED
(Glyn Hudson) #15

12 posts were split to a new topic: Upgrading NodeRED