Revisiting (ughhh!) security

All this boggles my mind a bit, I've been reading up on different scenarios trying to find, not only the easiest, but best for my situation. I have Node-Red on a pi on my home router's LAN, the dashboard having a single button which will soon need to be exposed to the internet. A very minimal app accessible by (phone) browser, used maybe a couple x's a week to operate my driveway gate.

At this point, I have a VPN installed and nothing else. So far, I've read:

Seems like the more I read, the more confusing things become! I used to have NOIP, but let it lapse due to inactivity over the summer months. Seems I'll need to renew or find another static IP service and install an HTTPS protocol & certificate service at the least. The nginx is a locally installed program, doesn't need $$$ or connection to a specific server?

I'd also like to PW-protect my Node-Red editor (from outside the LAN) but not the dashboard, is that even possible? Some of my family members are older than me and would find entering a UN/PW unwieldy.

Thanks!

Russ

When I expose my dashboard to the internet I do it through Cloudflare.

I like it as my IP is hidden and I can protect my editor (I configured Cloudflare so when you access the editor address it asks for identification, in my case with Github).

Have you thought about maybe using something like telegram for this?
No need to expose your dashboard and it’s easy to set up.

3 Likes

Interesting. I checked their web, they have a "Teams Free" plan that shows $0 per user, not sure if there's a base price? By user, do they mean site admins or individual "accessors" of the UI page? That could add up in a hurry. Anyway, looks like one has to sign up to get more in-depth info...

Russ

Is Telegram gonna show my UI, the one I spent 6 months building :grimacing: ? At first glance, it looks like another SMS service and requires each user to DL/install it on their phone...

Russ

No, but it you hook up telegram to switch on & switch off ngrok you can be up and running in about 5 minutes.

No :see_no_evil: but you were talking about a minimal way to operate your driveway gate. It’s just one of the easier ways to do securish remote interactions with nodered for small use cases like this.
If of course you want to have the full power of your I expect extensive dashboard from outside your network this will of course not be enough.
I use a vpn for that. Fortunately my Wireless Router by AVM has a free VPN build in.

I don't really know about the "Teams" function.

What I know is that you can add more emails for checking and does not look like there is a limit:

A VPN isn't that easy a solution to configure correctly. Especially if you don't have a fixed IP.

Something like NGROK is a lot easier but it needs a secure configuration. I posted one quite some time ago to the forum so look that up. Also, as has already been said, you could use a telegram bot command to turn on/off NHGROK to make it even more secure.

If this is ONLY for you and you insist on having a fancy UI, NGROK is going to be the easiest solution.

Do away with the UI and Telegram is by far the easiest way to get a nicely secured interface. It is text based but you can have a simple button "keyboard" if you like. I use Telegram commands to let me control lights remotely and to check their status, the status of other devices and such like.

There are a couple of things you can do via Cloudflare but mostly that requires a lot more setup. One to do once you are more confident probably.

If you are intent on going the full hog. I would recommend using NGINX to front Node-RED - block any inbound access to your server except via NGINX. Hide the Node-RED port (just allow HTTPS port 443 and nothing else, use NGINX to translate to Node-RED's port). You will also need to configure Let's Encrypt in order to get a TLS certificate but that also needs a defined domain name that you will need to pay for (a few bucks a year). Using Caddy instead of NGINX has the advantage of built-in Let's Encrypt. Personally, I use the acme.sh script with CRON to automate the renewals. Unfortunately, unless your DNS provider supports the right protocol, you also need to expose 1 url on port 80 for Let's Encrypt to work. That is best done via the web server.

But all of that only really touches the surface of securing your system and this should not be taken lightly. It takes less than 30seconds for a new system attached to the internet to be attacked by bots. We've also seen targeted attacks against open Node-RED systems. So don't be fooled into thinking that your system won't be noticed or "isn't important enough", that's rubbish I'm afraid.

Oh, and don't forget that a Pi is NOT A SECURE SYSTEM!!! If that is what you are using.

Pi's typically come pre-configured for convenience of playing/discovery, not for security. Add a new user id with a strong passcode and mirror the pi users groups. Then remove the pi user completely. That is the absolute minimum. There is much more to do if you intent to keep your system on the Internet 24/7.

And yes, you can configure Node-RED's admin and Dashboard separately.

2 Likes

All great suggestions to get me looking in the right direction. As stated, OpenVPN (using Private Internet Access) is installed, configured, and running. It was actually one of the easier setups so far. Gonna read up up on ngrok tonight. I thought my router had a "DMZ" mode but paged through the options and couldn't find it. Not sure it would help though...

Thanks!

Russ

If you already have OpenVPN working and well configured, you don't need NGROK.

NGROK is an HTTP VPN that uses a small client on your internal endpoint to reach out to an intermediate server on the Internet. You connect to the intermediate which routes you through to your server.

That way, you don't have to configure your router.

Just remember that a VPN is only as secure as the external endpoints that are allowed to connect to it. If you leave your laptop on standby in a hotel room in Moscow then the hacker who breaks into the laptop while you are having dinner will have access to your internal network.

And yes, that is a very common issue, especially if you work in government, health or for any decent sized corp. :slight_smile:

A DMZ only helps if you have a secondary server that sits in the DMZ separate from servers that sit on your internal network.

This is certainly a much more secure configuration - as long as you configure it correctly! Which even many big corps don't. It is only really effective if you only ever connect OUT to it from your secure network when updating it, putting data onto it or getting data off it. That way, if anyone breaks into the server only the things on the server are at risk and even that can be reset from your more secure internal network. Anything sensitive that might go on the server from the outside world (such as customer information) should be removed by a process on a more secure server ASAP.

Really, you need two firewalls of different makes to be really secure (overkill for most home setups of course). One between the Internet and the DMZ and one from the DMZ to your internal network.