That's my biggest fear TBH. I really like Node-RED for its flexibility and allroundedness - it's just a visual frontend for coding NodeJS after all
But as more people get into it, the more the pressure will be there to make it do everything - a good example of what can happen is the Ruby on Rails framework that - sorry to say, IMO - has become bloated and inflexible. Updates are hard and everyday more stuff is being added.
I really believe that more time should be invested in finding ways to provide even more extension possibilities (such as more events being generated at specific points in the start up phase) than pushing more functionality into Node-RED ... less is more!
It's hardly proof either way but some of my Raspberries with Node-red cannot connect to my 5GHz only router (192.168.1.1) so there is a 2.4GHz access point at 192.168.1.2. Nevertheless the Pies know the correct gateway:
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 600 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
Is it really true that a connection forwarded from beyond the router appears to have the gateway IP?
Using @marcus-j-davies' whitelisting strategy NR can easily whitelist all possible private IPs. But if the gateway IP has to be excluded it's much more difficult. NR might be installed at one location (school) to use at another (home) or used at multiple locations.
Unless I have got the current discussion point wrong (entirely possible, it is Friday )
But the IP info that is forwarded by the gateway does retain the original IP header info.
I momentarily opened up my NR (port forward), where a HTTP node just wrote out req.ip
This is the IP my mobile phone was reported to have (I disabled WiFi on my phone), so does not appear to be my router or gateway
If I am not mistaken, the reported IP will be the last node to enter the WAN space.
Example : my mobile provider likely has various routers/gateways before my mobile enters the WAN space and the below IP address will likely be the last Node to forward traffic to my gateway/router (at least when speaking about WAN)
Many mobile phones will have this same IP for the same provider (and likely same region)
Thanks. So in that instance at least, NR does know that the connection is from a public (routable?) IP address. It certainly makes sense that it should know that.
So your scheme can perhaps safely whitelist all private IPs, thus by default allowing connection from devices on the LAN but forbidding it from the Internet (including your phone).
I think that would be effective on all platforms too.
No idea about any impact of IPv6
The IP address blocklist class I use (but in reverse)
I believe supports ipV6 - but I think you have to specify that it is an IPv6 address (as it defaults to v4)
OK - one quick thing I have done is to change the Pi/Debian/Ubuntu install script to always run the node-red admin init if there is no settings.js file (IE clean install) - such that that then asks you to set up an admin password. Previously the default was to timeout and skip that. Now the default is to run it, with a command line option --no-init for those wishing to script up installs with no interaction.
I've also proposed a PR for the node-red-admin to make the language stronger around the do you want a password question - and if the answer is no then to set the bind address to 127.0.0.1 only.
Obviously there could be more - as per blocklists allowlists etc - but ideas on making those easy to setup much appreciated.
PS - I realise this is only for users of "the script", but hopefully those are the main users we are trying to catch/help right now.
PPS - PRs also considered for the script as well as ideas
PPPS - the latest script should also now fix both nodejs install on bookworm and GPIO read/write on Pi5.
I'm certainly in favour of making it easier to set a password than not to.
Is it possible to move the prompts for this to the start of the install script, alongside "Do you want to install Pi specific nodes"?
Is there any hint or push towards username "admin"? (Hopefully not.)
A new frequently asked question:
I've installed Node-red on my new headless single board computer and I chose not to set a password - after all it's only accessible from my network.
But I can't access Node-red from my PC!
Is it possible to serve a static Node-red explanation page (Set up a username and password!) in this instance ?
Note that one of those recently reporting a hacked installation said
a) they had an admin password and
b) the installation was live for some months before it was hacked.
This maybe implies that the bogey spotted Node-red and then set about the password by brute force
Hopefully part of a future enhancement will be to count login attempts and report the count by a notification on the editor once successfully logged in
Nice idea but what is the call to action if I see this message? Is there a log with IPs and even then, it's the past so I can't know whether those IPs will come again.
A message like this is more confusing than useful - IMHO - since there is nothing I can do except click it away.
Perhaps something along the lines of "XY IPs have been blocked because of repeated login attempts. You can review these IPs here <insert link>." That would a) prevent tragedy b) give me something to do c) make me feel safe!
You could also investigate as to what was connecting to your device. The message itself is a call to do something, whether you or others do is entirely in your or their hands.
I was just thinking - at the moment - of counting bad password submissions, not really connected to blocking outside attackers.
It could be my bad keyboard skills, someone else in the office trying to share my work or aliens from the internet.
Not actually sure how NR could maintain a count (over reboot/restarts), never mind a list of IPs.
I suppose I am imagining a NR installation with username "admin" and password "Tr0ub4dor&3" where port 1880 is forwarded.
A bot quickly spots Node-red is there and sets about login attempts.
In this situation one might expect several failed login attempts before they are in and the damage is done. This is the window during which Node-red could call attention to the rising count.
What? There is a message and I don't know what to do ... but I have to do something. If I was a newbie and saw that message, what would I do? Probably come here and ask ...
)
I'm certainly in favour of making it easier to set a password than not to.
