Hello,
I installed nodered with Nodered Install and at certain point I saw this message at the end of the installation
DO NOT EXPOSE NODE-RED TO THE OPEN INTERNET WITHOUT SECURING IT FIRST
Even if your Node-RED doesn't have anything valuable, (automated) attacks will
happen and could provide a foothold in your local network.
I have no particular informatic skills , can anybody help me to solve this problem?
Thanks
There is no problem to solve if you dont open ports on your router and expose it to the internet.
Its just a warning to be security minded if you do expose Node-RED to the internet.
EDIT for clarification.
If you simply install Node-RED, it will not become magically open to access from internet (just like when your laptop is on WIFI or your desktop is plugged into your router - it can go "out" to the internet but others (hackers) cannot (simply) go "in" to your laptop or computer.
Thanks for the answer.
I'll explain better my configuration. I have got my raspberry PI 4 connected to my smartphone hotspot. My laptop is connected to the same hotspot too, and I always connect to the raspberry with the ssh by means of the laptop. My hotspot is not free , it has got a password to get connected.
Are there any risk in this this situation?
Thanks
what you are doing there has nothing to do with opening a port to the internet to permit external (i.e. people not on your lan/hotspot network) from connecting "in" to your node-red. There is only your laptop and your PI on this hotspot network, therefore you are not exposing an open port (i.e. port 1880) to the internet and this warning is not relevant.
In short, this message does not apply to you. If however one day you decide to open port 1880 on your router because you want to access Node-RED on the PI while you are away from home/work then it would apply.
For example, If my raspberry is at home and connected by an LTE dongle to internet and I want to have the access to the raspberry for example by means of ssh connection from my laptop , can I do that in some ways? In case of positive answer, should I protect raspberry in some ways?
Yes. anything is possible. and that is where the scripts advice applies.
100% yes read the following...
As long as your Node-red Raspberry Pi and the laptop are connected to the same wifi network then you should be perfectly OK, whether it's a home broadband router or your phone hotspot.*
It's a good idea to set up passworded access to the NR editor but that's all you need to do.
The danger starts if you decide it would be good to leave the Pi at home, on one network, and to connect to it with your laptop from work or the pub.
If you were to google how to do this, you would find advice to change the settings in your broadband router for "port forwarding" , ie to allow an inbound connection from the internet on Node-red's port number 1880.
To be clear, never do this, ever!
* Not talking about public wifi networks here.
But NOT if that Wi-Fi is not yours - e.g. a hotel or internet cafe. (just to be clear).
Again, to be clear in case the other posts haven't registered:
Yes. And Yes.
You will find a section on this forum under the FAQ's category for Security with some useful info related to protection.
And for absolute clarity - this is NOT a Node-RED issue. It is an Internet security issue. NEVER poke an inbound (from the Internet) hole in your firewall/router unless you have ALREADY plugged it with appropriate edge security services.
Better still, just NEVER allow inbound traffic. There are now plenty of free and paid cloud services that will let you avoid this issue by dealing with the security problems far more effectively than most people ever could. And they will keep up with emerging threats - no real effort on your part other than the initial setup, strong passcodes and regular software updates.
Thanks for all answers. I think that I got it that now I am safe :), I think that I will never connect to my raspberry from my home because I can't apply all those protections that you cited (I am not so skillful) , anyway I will always use my phone hotspot.. Thanks again
Hello again,
I have a doubt concerning security. I always have my Raspberry Pi4 connected to my smartphone's hotspot, I am connecting to the raspberry by means of ssh connection with my laptop. I want to integrate to my nodered scheme of sensors Telegram Integration following a guide found on Youtube.
According to your opinion , could be any risks in terms of security ? I am not an expert so maybe the question is stupid, but I want to be safe...
Thanks
As long as there is a password to connect to your phone hotspot and a password to access the Node-red editor you should be fine.
The only risk I see is if someone else sets up a wifi access point pretending to be your hotspot and your laptop connects to that, thus revealing the password.
It's a pretty remote possibility.
The danger is when you connect into a home network to access Node-red from the internet and that's not what you are doing.
Really no question is stupid when it comes to security. 
Please read through my recent post on why Telegram is generally rather safer than exposing a web interface. It contains the information you need. Namely to ensure that you lock down the Telegram bot as much as possible and make absolutely sure that any inbound information is validated and sanitised as soon as it arrives.
If your setup is located in a less trusted environment, you will also want to take precautions, especially around the Pi, disable the default Pi user and group and set up specific ones for Node-RED (which will already be the case if you used Dave's install script) and your own login. Use SSH keys to do the logins, not passwords.
The less trusted your environment, the more precautions you should take but that is really outside the scope of this forum. Suffice it to say that there are areas of the world where you would NEVER want to leave a device on standby in a hotel room.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy