Hello friends, I need your help on how to protect my application from hacker attacks. My application consists of a level monitoring system and I will be using Telegram to send messages when there is an event, but I could not understand about the vulnerability from node red. When using it, I'm theoretically opening a port to the internet when I need to use the telegram feature or to download repositories, so I end up having this vulnerability? What would be the best practices to protect my application and my server
Depends on how you use Telegram. There are 2 ways and the simples creates a connection from Node-RED to Telegram which is significantly less risky than creating an inbound connection.
Please have a look at this FAQ post for advice on how to safely access node-red over the internet.
Generally it is incoming ports that you need to worry about, as an open incoming port may allow a baddy to get into your system. Provided you have not opened any incoming ports in your router then you don't need to worry about that aspect of security.
Hello friend, so NodeRed when used with telegram does not exist a certain correct risk?
But a doubt that I have, when we are going to install some resources related to the libraries do we use the internet to download them? Thus there is some risk of vulnerability.
I do not intend to make my public application available on the internet as I understand the risk.
My only fear is that there is some risk of vulnerability, although the server has firewall systems and I believe that access will be difficult.
Thank you for your recommendations
And with each passing day I'm more in awe of the world of programming, especially NodeRed
The act of downloading libraries from the internet is no different to fetching web pages with a web browser.
There is a different potential risk, which is whether to trust the nodes you are installing. In theory a contrib node red node could be written by someone who wants to attack the system it is installed on. I have never heard of that happening though.
Nothing in life is risk-free I'm afraid. But if you follow that route, you will have a hard time doing anything at all. Paranoia is useful - up to a certain point. After that, it is simply debilitating.
Unless you are the target of a nation-state level aggressor, downloading well-known software libraries from well-known sources is generally fairly safe since any attacker is usually found out pretty quickly.
If you really do need to be that careful, you should download the libraries using a separate device and manually check the code. Once confirmed, take the code to the server using a known safe storage device and good-old sneakernet. But you would need to be seriously at risk of attack with some seriously valuable systems to make that really worth while and in that case, I'd advise against using Node.js at all (including Node-RED). Or Telegram for that matter.
Hello my friend, I understood about the risks and I believe that you helped me a lot, in this case I will leave the application on an internal network with this I believe it will be protected, I have been studying about Telegram and it allows a secure connection in addition to having the possibility to control the users who will receive the messages. Thanks a lot for your help.
Hello Colin, thanks your help-me. I'll be watching the libraries that will be installed and their developers..
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.