With a view to keeping things and people happy, an obligatory security warning to remind everyone that Node-RED is now global and people (including the bad people) are aware of it.
So please don't spoil your New Year by leaving unprotected instances of Node-RED on the Internet!
Have a look at the following, excellent post by penetration tester Quentin Kaiser:
I used his Shodan query and found 2,500 or so discoverable instances of Node-RED (rather than the 777 in the original post). I chose a couple at random - one was secured, the other was totally open.
(You need a Shodan login to be able to run this search):
An open instance of Node-RED very likely gives high levels of access to at least the server it is running on and quite probably reasonable levels of access to the network. All things that the bored armies of hackers in various countries love to discover and "play" with.
Hey Julian,
Thanks a lot for sharing and reminding us about it!!!
This is so important, and I know so little about it ...
Just an idea that popped up in my head. Can't we create a node-red-contrib-security-check node, which contains a series of checkboxes for several security tests. By an inject node, such checks could be triggered periodically and the with the next nodes in the flow the users can determine what to do when a check fails (e.g. send a mail as a reminder, ...).
Then we at least have a node-red way of checking our security.
You are the security expert: good proposal or pure nonsense?
Personally I think that's a bad idea. It would be hard to create a node that did a sufficiently meaningful check to not create a false sense of security.
Besides, if the system is insecure, someone could access the flows and disable the node without you being notified.
I'm a little conflicted about that. I certainly agree that a false sense of security would be a real danger. However, something that did some basic security checks in a consistent way might well be a really useful tool.
And there you've nailed the real issue I think. A checker really needs to be independent and kept on secure media so that it kept safe. Of course, to run regularly, you would need to keep it somewhere more accessible, run under a safe admin account and regularly audit the code to ensure no unauthorised changes occur.
Having said that, I do still think that it is worth someone thinking about a set of security checks for Node-RED installs. As long as the documentation makes clear that it is only a partial solution.
Really though, it would be much better for a pen tester like Quintin to come up with the code as they are much more likely to think of things that we would miss.
Overall, an interesting and potentially useful suggestion - but, as you say, not as a flow or custom node.
So if the person has not set up any port forwarding or opened any holes in their modem (internet NTD) there shouldn't be any problems with the problem form a NR point of view?
Having said that, I do still think that it is worth someone thinking about a set of security checks for Node-RED installs.
I am not sure how this should/could work, but I think that upon install an awareness message (or first initial start up) that states that node-red should not be exposed to the internet unless you know what you are doing could make people more aware about security risks, perhaps even with a "I understand: yes/no" or something like that, although that wouldn't work for installations without the script.
Not sure I'd really agree with that - those kind of messages tend to be ignored and then they lose all meaning very rapidly. Also, it isn't so friendly to add friction to installs and I wouldn't want people to be put off using Node-RED.
Some kind of independently managed script would be better. This would be particularly useful to cyber security professionals who come across Node-RED installations as Quentin did as it would give them a useful starting point for testing. But it would also be useful to all Node-RED users in terms of increasing security awareness.
What do you think would be the best solution ? PEN testing, cyber security professionals (pro = pro-money),
Is this the responsibility of Node-red ? I think not.
Is there a way to raise awareness of a potential risk ? Yes, multiple.
Does it need to be mitigated ? Maybe/maybe not.
it isn't so friendly to add friction to installs and I wouldn't want people to be put off using Node-RED.
Is this about security or about being friendly ? How serious should one take it ?
It is serious software that can potentially damage a network and any form of awareness will help the user.
Sorry to disagree again but I didn't make an assumption about security vs user friendliness. What I said was that I didn't think the approach was friendly.
Many people run Node-RED on isolated systems and don't need the extra friction. Messages output on installation are only read by a few people, understood by fewer.
Ideally, anyone running any kind of system really ought to be aware that connecting it to the Internet is fraught with issues. That's not a Node-RED issue as such.
The unique(ish) issue that Node-RED has is that it is an incredibly powerful application builder wrapped for beginners and non-pro's. That's great of course. But just like giving a petrol chainsaw to a 13 year-old, there might be one or two potential issues!
The real questions are
How do we get across the issues - well, I think we already do pretty well with that between the docs and this forum. Could we do more? Not sure, certainly though I'm sure we are all open to suggestions and ideas.
How do we help people find (audit) issues with configurations? That's really where a tool would help.
That was only part of what I said. I pointed out that a tool would be useful to all.
I mention pro's because we now have a lot of pro/commercial users now and my own experience shows that when you let people become power users without the backup of some security audit, reviews, etc, you end up with a disaster in the making. Far bigger problems than someone exposing their home network typically. Just because someone knows how to use a data processing tool, doesn't mean they understand the complexities of cyber security.
I agree. Hopefully I didn't imply that. Nothing stopping Nick or Dave taking it on of course. However, I don't think I'd willingly take this on myself either, I'm finding it hard enough to work out a sensible security strategy for uibuilder. A script like I mentioned would, as I said, be much better developed and gifted to the community by a cyber security pro. A specialist.
Sure. But awareness is a very tricky subject - as the political chaos of the last few years indicates to us. Put a message in front of someone regularly and their brain will tune it out - I can't quite remember the psychological term for that - a scatoma?
Anyway, this was meant to be a reasonably light-hearted reminder to sound in the New Year rather than anything too deep so maybe it would be best to leave the discussion here and return to it some other time.
Founder of Shodan here. If you wanted to give security researchers a way to let any affected owner know then I would recommend supporting the new security.txt standard:
We also grab that information if available and show it to our users. For example:
And doing IP lookups via our API is free so users could also run a periodic check to see whether their current IP is exposed in any way, though that would require an API key.
If you have a registration process where the user provides you with their email (I'm not familiar with Node-RED) then you could match up emails w/ unique registration IDs and you'd put those registration IDs with your nodered. org email address in the security.txt file. That way the end-user's email would only get shared with you and you'd be able to periodically download all public instances of node-red and notify the owners.
Cool, thanks for popping in - welcome to the Node-RED forum.
I'll certainly have a look at that and see if we can't find a way to help Node-RED users improve their security.
No, Node-RED is open source and mainly self-hosted. As a node.js based tool, it can be used for many different purposes so there is no way to know who is associated with a particular server other than the usual Internet searches on IP addresses and the like.
Many thanks for the excellent Shodan tool! While I don't often do operational cyber any more (I'm an IT Architect & designer), I do regularly recommend its use and it came in handy during the NHS debacle over Wannacry where I was able to identify a couple of vendors with NTLM exposed to the Internet.
I donated beer money to Shodan when it was launched but now it is a different story for the 99% of us. Understand its value-for-money for investigators (academic or professional) but why would I want to know how active users are still on Wheezy (or all those Wyze devices)?
