Securing the raspberry pi and Nodered

Hello again,
I have another question. A sort of chatter about the security of raspberry pi and the security of Nodered.

I understood that Pi was the most easily hackable user. I would have liked to replace it with another super user, a different name and different from the one we will be discussing here. I would take Alex as a test user to test all the test commands.

But then, how to better secure the Nodered / Raspberry pi couple?

Thank you very much for your help and answers.

Source? , If you change the default password and watch out with ssh access, i don't see why PI is easy to hack.

A good example here in video:
youtube > securiser-raspberry-pi

Suddenly, I said to myself that it was still necessary to secure, with a strong MDP, but also with another user in order to limit access.

As I prefer to be sure of good practices I ask;)

As far as my france goes, that's about capturing the handshake when login in to wifi access point and then brute force attack the password on the captured handshake.
This has nothing to do with raspbery, you can also do it with phone, tablet, laptop etc. And it's not so easy as showed in these videos. Brute forcing an 24 character long password will take even with a gpu weeks/month/years.

Simpel solution, connect your raspberry wired.

Personally I always change the default user. The less that everyone else knows about your system the better.

1 Like

Yes, I agree with Colin. What command line can I use to do this?

Something else: I type my http: // : 1880 and go straight to nodered without any password. That on the other hand that does not suit me because if someone has the address and the port -> grilled!

I am thinking of migrating the port already and then instigating a MDP to open nodered. But how do you do this?

"Securing Node-RED : Node-RED" Securing Node-RED : Node-RED

I just looked at the link. Very incomplete.
I do not see where and how to activate the authentication module. The tutorial is still not very explicit.

Can this be done from the command line or through an interface from node-red?

Is this what you mean?
If not then what do you mean?

Unless you have opened your LAN (or home network) to the outside world for that port, only people that have access to your LAN would be able to access your Node-RED editor. So the set of people is mostly reduced to your family members and visitors who you have shared your wifi password with (and are in your home) ... and smart burglars that get access to your LAN by directly plugging an ethernet cable in your router (but in case of burglars that would be the least of my worries :slight_smile: )

What do you mean by MDP ?

This is exactly what I'm looking for :slight_smile:

You do realise that's what the link I posted points to :joy::joy:

As @Steve-Mcl points out, he posted a link to the docs and you said

I then posted a link to a point half way through the guide and you said

Before posting that something is incomplete, you should at least read all of it.


THe insecurity of the default Pi user isn't about brute force. It is about other entry points and what you can do once you are in. The Pi user has access to just about everything and this is a terrible security model. Certainly wouldn't be permitted by any security team even just on an internal network let alone connected to the Internet.

That, of course, is because the Pi was designed for education. Making things as easy as possible to do quickly.

At least, it is sensible to create several new users. One for running Node-RED. One for "normal" access, e.g. SSH to view/change the config of the device.

What you do is really dependent on your risks and your willingness to take risks of course however.

Not so in any kind of larger environment I'm afraid. Lookup "Advanced Persistent Threats". The big target for advanced hackers is traversal. Being able to traverse from one system to another once they have a foothold in the network. There are many weaknesses that can be leveraged to achieve this and is the reason security people now talk about "Zero Trust".

Not a big risk perhaps at home because if you are hacked there, you probably have bigger worries anyway. But not a zero risk either. And no, I don't take extra measures on my Pi's either :grinning: - but in moving to my home server, I am certainly implementing more security since the risk is somewhat larger with everything running in one place and the possibility of some services being shared to the Internet later on. My dev machine is a different matter though since I use that for work as well and it is sometimes mobile. That is a LOT more secure. :mage:

I think that it is worth remembering that this forum is now used by more than just hobbyists but that some of the professionals here are not developers and may not be particularly familiar with Cyber Security.

Actually, in my experience a lot of developers are completely ignorant of Cyber Security :scream: That is one thing when you are just messing about with smart lighting in your home. It is something else when dealing with systems that literally make the difference between life and death.


Yes, this is the part I am looking for (in my files: the adminAuth path) without having found them. I misspoke my sorry answer.

I am limited in the number of answers and it takes a long time to have the right to discuss here again. So I'll save my answers.

@TotallyInformation: I totally agree with what you are saying. I want to keep it simple but very effective.

  • Limit SSH to the one person who is entitled to it.
  • Only create a root profile but which is not pi.
  • Have a user who has access to SSH and to nodered with an MDP independent of the root and independent of the SSH pass for Nodered
  • Limit the IPs (therefore kiler everything that does not belong to the authorized network.

For the moment I am looking for the right method, on the command line because I need to be able to do this remotely. Which makes me think that the legal system is not always explained and the net is not very easy to secure itself either.

What I have done :

  • Create a new user, give him sudoer rights
  • Make the new user belong to groups
  • Connect with the new user
  • Killer everything related to pi
  • Remove pi
  • reboot
  • Update (update and upgrade)
  • Modify passwords so that it is always mandatory
  • Modify the SSH (there are several solutions but I cannot reveal them to you here)
  • reboot
  • Install vim, build-essential git, curl
  • bash command to install node red

I still have to find adminAuth.

Basically I think I have already eliminated a few flaws. There will be some left anyway, but the most obvious are outside.

You should really do some reading about securing Linux servers. This isn't really a Node-RED thing. Getting a reasonable baseline isn't too hard but yes, it needs command-line knowledge.

As well as the things you've mentioned, you should go through all of the installed software on the Pi and get rid of everything you don't actually need. Also, take care about which users have access to the physical interfaces such as serial ports. Many tutorials for working with serial give really poor advice and so open up the device too far.

1 Like