Node-red LAN network security, updating and DNS settings

Hello all,

After a year and a half of use I can say: well done to Node-RED devs and contributors, it is a wonderful piece of software. Thanks to it I have succeeded to fulfill my some-time-now dream to code after being given a project to develop a monitoring tool for my company.
And, thanks to this forum, the people have helped me (passively and actively) to overcome all problems (read: progress steps) I had.

Now, I have some more questions:

1. Recently my company started LAN screening for possible vulnerabilities, so, today they've told me they found vulnerabilities in my RevolutionPi-s - vulnerability with the Apache.
   Some 15yrs ago I used to make some web programing using Apache as a server + PHP and MySQL, but I havent realized some of the current software runs on Apache? How to update it? (partial explanation in my question 2)

2. My main Pi has got a Stretch linux from 12/2020 and I haven't updated anything since.
   I am afraid an update will break something because I have lots of old (no updates avalible) aplications, such as:

• Mdashboard (stopped receiving updates in 2019)
• chromium-browser headless 32-bit (as far as I know this is outdated and replaced by a 64-bit version)
• mutt email client (not sure if anyone uses this anymore)

+Over 60 active mqtt connections, active sqlite storage which need to be accessible on demand and a regular PDF creation which my colleagues use daily.

Will I brake anything if I make:
?

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

3. If want to disable the Pi access the internet - how to do it?
   I need to be able to access it over a VPN.
   So, I've tried:

• removed the DNS and gateway settings from the /etc/dhcpcd.conf file - result was the Pi wasn't accessible over the VPN
• removed only the DNS - result: Pi accessible but can also go to the internet and return a ping from a google

Is there any other possibility which would allow me to block it completely from the internet, but to be able to access it from a VPN?

4. Local DNS service - is there any way (have anyone tried it?) to be able to enter only a name in the browser, instead of the full local IP addres+port+dashboard name?
   I suppose a local DNS server is needed - can It be installed on the Pi itself? Not sure the IT admin would allow me to install in on company servers...

Thank you very much for all your help

Well done them. Better late than never

What OS is it running? Presumably some kind of Linux? So you will need to look up the best way to not only install a newer version but also to keep it up-to-date.

Assuming that it runs a form of Debian like most Pi's and Pi-like platforms, a google trawl should help.

https://www.google.com/search?q=apache+debian+linux+install

Best is if you find a repository that keeps up-to-date so that you can simply use the standard sudo apt update && sudo apt upgrade. Just note that the standard Debian repositories tend to lag quite a ways behind latest releases. While that can be nicely stable for many things, you may miss out on some security updates which is why, for some applications at least, it is better to add a faster-moving repository.

While you are at it, you should be updating the apps on the OS regularly anyway so firstly learn how to do that and then hopefully, updating Apache will be a bit clearer.

This isn't too risky if you are keeping your servers away from everything but really isn't acceptable on any business, enterprise, education or government network.

But the truth is that every week (pretty much every day) vulnerabilities are found in everyday common software and firmware. If you are going to use compute facilities, you really MUST be updating them. There is plenty written on the perils of not doing so - even for those who thought that their servers weren't connected direct to the Internet and therefore thought they were safe.

Yes, that means that some things may break.

The safest thing would be to back up your ~/.node-red folder completely and keep it safe. Better still, take a copy of the whole SD-Card. Then you know for sure that you have a known good version that will still run.

Then you have to start wading through updates. Alternatively, start with a fresh card and build from scratch. At least that way, you know that you know how to rebuild the system. Document as you go along so that the next time isn't quite so painful.

Probably! But you may be lucky, last couple of times I did that it worked OK. Just make absolutely certain you have a working backup.

You shouldn't. As you have a network team, they should do it for you. And they should be able to provide a VPN.

Also, you probably only want to make sure that inbound access is blocked not outbound otherwise you can't update any of the software directly and doing it indirectly is a pain to set up.

Yup, I do that at home. I have a router that supports "Hairpin NAT" which is just the ticket as it allows me to use the same name internally or externally should I need to (though my home servers certainly aren't accessible from the Internet). I just use it so that I can use my Let's Encrypt certificates internally.

Well, you can distribute entries to every device's HOSTS file but that probably isn't terribly feasible.

It could but it isn't particularly easy.

You shouldn't need to. Just ask them to add your server IP's to their DNS with a suitable name.

Thank you for your time

Agreed

They said a vulnerability came from the Pi itself - it is running Debian Stretch.
Maybe they are mistaken? It may be silly question, but does NodeJS 14 run on Apache to communicate with the frontend? I haven't find an answer to this on the web, except that it uses Apache 2.0 licence... (presumably thats why this "investigating" software saw it that way....)

I plan to re-make it on uibuilder when this projects ends (near the end of the year), so hopefully I won't have to use outdated applications.

You mean, using outdated linux distro, nodeJS, node-red all everything together?

I way told nothing can't get in anyway because only the required ports are open.
We use a VPN when connecting from home. Should I use the VPN for the Pi to access the internet while looking for updates?

Ok I will talk to them.

No it doesn't. If apache is installed and you are not using it then you can uninstall it.

Possibly what they mean is that the default repositories for Debian are slow to update as I said. So you need a more up-to-date Apache version from somewhere else. For example, Debian versions of Node.js are very slow to update (see the reasoning behind the Debian approach on their website) - so I use the repository recommended by the Node.js project instead. Apache may be the same - I don't really know as I don't ever use Apache and haven't done for years.

No. Node.js will run as a separate process and typically uses Apache as a "reverse proxy", an intermediary if you like. It may do so to gain some efficiencies for web apps. There is also an alternative approach using 3rd-party software but it is rarely used these days.

No, these are separate things. If your network/IT team discovered something, they will have been reviewing versions of software that are providing services onto the network and will have discovered an out-of-date version of Apache that will have unpatched vulnerabilities. This is a common scanning technique.

While nice to hear That is a somewhat different issue. The real issue here is that you need to keep your OS and all of the application packages that are installed up-to-date to avoid (a) accumulating unpatched vulnerabilities and (b) so that ongoing maintenance doesn't break things (as much).

The whole shebang I'm afraid. Every component carries the potential for errors and vulnerabilities. A typical OS with some typical packages will run to hundreds of thousands of files, sometimes millions. That is a lot of potential for problems. And is a LOT of potential updates.

That is OK as far as it goes. Edge security is the starting point for security though and not the complete picture. A well secured architecture uses layers of networking and each layer will have it's own edge security.

For example, your Pi (or any device running a common OS) can have its own firewall such as IPTABLES. This would let you restrict entry to the Apache server not only by port but also by source IP address. So that only specific devices local to your network could get access and so reducing the possible footprint of vulnerabilities. Imagine that another device on the local network get compromised - the attacker will then use that device to try to jump across to others. If you can restrict that sideways movement then you have reduced the possible attack vectors.

Now, does this matter to you or your IT dept? Well only you and they can answer that because there are lots of risk factors at work. But it is certainly not unusual for even seemingly low value networks to be compromised and then used for further attacks on other networks and typically it will be at least 12 months before such an attack is spotted if it ever is (it usually requires scanning by a specialist security vendor to spot such things, internal IT departments are usually too close to their own architectures to spot things). A lone Pi or similar device that is run by a non-IT person on a corporate network is a prime target for compromise with outdated and unpatched software and non-expert support, it will then be used to further attack other areas of the network containing potentially more valuable data or more processing that can be used for further attacks elsewhere.

This is my process list sorted on SHR

image779×371 7.84 KB

Any, why so many node-red and revpipyload processes?

Something like:

ps -ef | grep apache

You could also look to see what network ports are in use and by what - can't remember the command off the top of my head.

Here is the result:

So apache is running, the question is why?

What do you see if you browse to the ip address of the Pi, in a browser?

A Pi manufacturer and a configuration site. I am using an industrial version of Pi.
MAybe they're using apache to serve this config site....

Well if you don't need that then stop apache running. Use
sudo systemctl stop apache2
If it says apache2 service does not exist then stop after apache and hit the tab key and it should fill in the rest for you. To prevent it restarting on reboot run
sudo systemctl disable apache2

If that doesn't give you any problems then you can uninstall apache.

Yes, apache2 is used to run Pi extension modules configuration screen in the browser.
Although it is already at the latest version (2.45), I think I can disable it after the project is complete.

You could disable it so that it will not run on reboot, then start and stop it just when you need it. Then you will know that there are not any undesirable side effects of not having it running.
To get the current state (running or not) you can use
systemctl status apache2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.