Configuring Public Node-RED Server on RPi

Can someone please help me figure out how to use DDNS services to configure my Node-RED server? I honestly don't know what I'm doing. I'm using noip.com's DDNS services and I've gotten a hostname and installed the DUC on my RPi. The DUC is fully working, but every time I access the hostname on my RPi or on my phone, the connection times out. Do I have to mess with my Node-RED settings file in order for it to work? Or do I have to play with my router somehow? Also, how can I secure everything to prevent hack bots? I'm very new to this so any advice at all would be very helpful! :smiley:

From your quote, I'd have to ask whether you are really sure you want to expose your Pi and Node-RED to the Internet if you aren't sure what you are doing? The Internet is a big, often lawless place that sucks in and spits out unprepared servers for breakfast. It takes under 30 seconds for a new end-point on the Internet to start being attacked by bots. And we have seen attacks against improperly secured Node-RED services too.

2 Likes

If you do this... assume your Pi will be hacked, assume you will have to replace the content of your SD card on the Pi often, because it has been compromised. Always have a known good clean backup image.

Isolate your Pi from the rest of your internal network. For example, I have two firewalls in my home setup, one is the basic firewall on my internet router, another is a separate dedicated device... on the second firewall, it protects all my wired devices on network A, all my wifi is on network B.

Thus, these 3 zones, let me monitor each zone as needed. Zone 1 is router to firewall, no devices here in my case, Zone 2 Network A, Zone 3 Network B. In your case, you will want to put the Pi in the Zone 1 network, so you have a layer of protection between it and the rest of the home network.

Whatever you do, never use the DMZ or open port that many home routers have, that has no realistic protection. And, never believe your ISP when they say they filter traffic and protect their network, they due, but they never block things fast enough or fully, so always assume what traffic hits your internet router, is or can be a threat by default. And this should be obvious, you will need to create custom firewall rules on you internet router to allow limited access. Moreover, validate firewall rules to make sure what you allow in zone 1 to the Pi, is explicitly disallowed in Zone 2 (and/or Zone3).

1 Like

Can you teach me how to get it properly secured then? It’s really important that I create my own personal Node-RED server because I have a bunch of projects that depend on Node-RED flows to function, and the previous server I kept my flows on is going to be deactivated soon. I understand that it’s a big security risk, but it’s nothing I can’t learn, right?

1 Like

Since you said that you have a hardware firewall and a software firewall, do you think the RPi can act as it’s own firewall in place of the hardware one? Or would that lead to even more problems in terms of security?

What do you mean by this? How will I know if my data’s been compromised?

Can you configure a software firewall on the Pi, in the Pi OS... yes you can. But that would not protect the rest of your network.

How you know the Pi has been compromised, is a deeper question. There are methods to 'check' the OS file system, has been changed. But none of these are simple or straight-forward. A Pi of course is just like any Linux based device, so using Linux OS based methods to validate the device, i.e. file system and memory for malware or virus, etc., are applicable.

1 Like

One method is to setup the Linux OS on the Pi to run as read-only, but this is tricky because so many processes expect to have write access to the file system. That said, there are examples of how Linux can be run in a read-only file system. If I was going to do this...I would serious consider if that is possible for the given need or situation. A place to start https://wiki.debian.org/ReadonlyRoot.

Another thing I would consider is PXE boot of Pi, so that every time you reboot or power the Pi a completely clean OS is deployed to it. PXE is quite new to the Pi world, but the new Pi 4 models support PXE boot. I have just started looking at PXE and Pi use, since I can run my node red on my Pi 4, so I can deploy everything in one shot if something breaks in node red.

2 Likes

Yikes... that’s scarier than I thought. Is there any other way I can somehow make my Node-RED server external instead of internal, or is this the only way to do it? I’d rather not compromise the security of my home network...

To do it safely... this is the way. I know of a fortune 50 firm that was going to use Pi devices as a security honey pot, thinking that hackers would attack the Pi, like any device, once they got into the internal network, and the security team could 'watch' the Pi device for evidence of an attack. The project never left the lab, for a number of reasons, hence you, I am sure gather, why I know a lot about this? :slight_smile: One of the issues was how to effectively always know that an attack resulted. All of the issues found could have been solved, but the security team lost interest in the idea, it was just something explored but declined to finalize and deploy.

Anything visible to the net is scary... your typical game console... XBox and PlayStation HAS EXTENSIVE safe guards because of this. You would not believe how hard hackers are trying to break into XBOX consoles all the time. Rumor is Sony PS systems have been cracked more than once. But you will not hear about it in public. There are also claims that XBOX has been hacked, but of course Microsoft states it has never happened, cough.

Why would you want to do this ? An easier route may be to use a vpn to connect to your home network instead.

There is an article in the docs about securing.

https://nodered.org/docs/user-guide/runtime/securing-node-red

Yes, a VPN would be more secure but limited.. but if that is sufficient so be it. Establishing HTTPS connecity to your node red device is good step but not the end all. There are ways to compromise HTTPS, but that is not the real threat. It is a question of risk, to your local network, not the node-red device alone. Hence why I explained how I would isolate a node red instance from the rest of my local network. I stress this, because I have seen friends open holes into the local network, thinking all they were doing was exposing a single device to the public net.

I am nervous about software VPNs... given I only worked with hardware VPNs. Because the degree of risk with hardware VPNs is less, but it is not realistic to carry around a hardware VPN with your phone. :slight_smile: That said, there are many entities that use software VPNs... until they are compromised. If the NSA is monitoring... cough... they are know to have exploits to get into anything, they never publish to anyone, including security firms and VPN developers. Ask Iran about it, they learned the hard way. Just saying... Is that a noise out side my door?

Well, you should start with a search through this forum as much has already been written.

Subjects such as firewalls, reverse proxy's, TLS/SSL (HTTPS), secure websockets (wss), certificates and "Let's Encrypt" are all things that good web security practices will touch on so it can be a bit of a steep learning curve. There are some great tutorials online though and I'd recommend doing a basic web security tutorial if you are starting from scratch. That should give you the concepts and the basics.

There is some Node-RED specific security information in the docs and elsewhere online including my own blog.

Because of the complexities (and the results of getting it wrong), many people choose to avoid the problem by implementing a secure messaging "bot" interface via Telegram or similar. Alternatively, and more useful if you need access to the Editor from remote locations, you should look at something like NGROK where you trust a 3rd-party to provide you with a secure proxy that requires minimal setup. You may find this flow post useful to ensure that you set up NGROK securely.

Yes it can and that is OK if the Pi is the only thing on your network. If not, it is better to have a firewall in the router which you will almost certainly have.

Yes, certainly. There are several cloud platforms that will let you run Node-RED. The IBM cloud is a good place to start since that is where Node-RED originated (IBM that is). Some folk have been successful with the free tier of the Oracle cloud. There are also a few Node-RED specific cloud services. More expensive but you can use cloud services like Azure or AWS but those are a bit more complex.

Lets be clear here - a VPN can be secure but it isn't a sinecure. A VPN extends your LAN to your device so it is only as secure as your device and that is a whole other discussion.

What you haven't done and nobody has asked is say what you want to get out of having NR exposed - is it to let other people access it or simply for you?

If it is only for you - something like NGROK is the way to go. It requires minimal configuration to get secure - just note that the default configuration is NOT SECURE. NGROK is going to be a whole lot easier to configure and has less impact on both your laptop and your LAN.

A hardware VPN is just software running on some tin! :slight_smile: OK, so it is more locked down and, if really expensive, will have hardware encryption on it. For personal and small-business use, software VPN's are generally good enough. BUT only if you are properly securing all of the endpoints as I say above. The biggest weak point of any VPN is actually the end user kit - well, the users themselves really.

So lets get back to reality. If the need is to let you, the owner, get access to Node-RED remotely, with minimal experience and configuration, something like NGROK is the right way for most people.

If you need to give other people access - lets say to your Dashboard, then you need to configure your router/firewall and add something like Caddy as a reverse proxy with Let's Encrypt certificates. I would also add Cloudflare as an extra cloud proxy (so the only thing allowed to talk to your Pi is the cloudflare endpoints, they take care of other stuff). Then I'd add a local firewall and fail2ban. Complex but not impossible even for someone with no experience.


Perhaps I should have said what I do (and yes, my day-job includes enterprise security).

I use Telegram bots for most remote interactions. Anything simple like knowing if someone pressed the front-door bell or the humidity is high. Or turning lights on and off, that kind of thing.

If I really need full access to the Editor, I have a Telegram command that turns on NGROK (all via Node-RED of course). Then I can do what I want and then turn it off again. Simple, secure.

2 Likes

Not being familiar with NGROK... that was a really interesting read. The local network complexities aside, really interesting what NGROK does. The real weakness... is the end user (and kit), you are not kidding. Greatest protection in place, and one well crafted phishing email... all for not.

If or when you get to the local firewall setup, there are quite few simple appliance oriented solutions. Just about any old PC can handle it, providing you have enough NICs (for in and out bound traffic). If you want to check out something that is straight forward for a firewall look at something like ipFire https://www.ipfire.org/.

It isn't the only tool like that but it is certainly the best known. You do, of course, have to trust the vendor but that is a small risk - tiny even - at least for personal use. I wouldn't be happy to see that as a suggestion at work of course but that is a very different risk level as those that know where I work will understand.

There really isn't any local complexity either with NGROK. You just need to install the client and use it as indicated in my flow. Just make sure you turn off the non-TLS secured interface.

1 Like

True, you always end up trusting someone, somewhere, somehow, with security designs. As for the local complexity... just reference to how I suggested he setup his local network, local firewall, etc.

I am retired now, but before, yes, working for a fortune 50, countless hours validating firewall rules, scoping. When we implemented additional firewalls internally, to segment security zones not only by geographical scopes but also by function, dev, UAT, prod, type of thing... it was a PITA.

Ah, OK. But no need for that with NGROK since the client makes an outbound connection to the remote proxy. So no inbound connections needed which should be the default for any network and is how even domestic routers are configured of course.

We probably shouldn't scare @BrainBomber100 even further by talking about WiFi weaknesses! :smiling_imp:

Seriously though, NGROK is good enough for most home use.

1 Like

Right, right, good point. What I did for my zoning, was because for me it was straight forward... and yes... why I did it was to isolate WIFI from my wired resources, definitely.

I am not to the point that I plan to publish my node-red per se, but NGROK is on my list, appreciate the mention of it.

Ah... in due disclosure... It also let me isolate the 'gamers' here at home. I seriously doubt they know they are QoS'd a bit, [cough], [cough].