Nope. Nor raspi-config.
The Pi authorities have known about this since September but have not [been bothered to] fix it.
Even standard users need to login with a username and password to access the system, right?
Therefore I should have a trace in journalctl.
Am I wrong?
When you connect to the node red editor on port 1880 does it log that in journalctl?
I use Cloudflare Zero Trust as suggested by totalyinformation so I don't know about the built in node red login system.
Also note that they only needed to get in once, possibly some time ago, to setup the cron job to keep messing with your flows.
It has been shown before that it is quite easy to do all sorts of things that you probably don't want "people" to do when using Node-RED. For example, there appears to be no way to prevent the settings.js being updated from Node-RED.
Basically, you cannot guarantee the full security of the Node-RED editor without some serious work as seen in the commercial FlowFuse offering for example. Node-RED is a very powerful tool and all too easy to misuse.
Having said that, some sensible precautions should be more than enough for most people.
If you need access to a Dashboard or UIBUILDER site from the Internet, use Cloudflare Zero Trust or something similar (unless you are part of an enterprise that has enterprise security tools already available).
If you need access to the Editor over the Internet - really 
Well, if you really insist (and I don't really recommend it), again use something like CFZT but on a separate link with separate security settings.
In all cases, if you can further limit access, Cloudflare offers some great tools even for free users. For example, limiting access to certain countries - not perfect but every little helps.
I generally leave access to my live server's Editor OFF. If I ever need it, I can turn it on from Cloudflare's admin portal. In the past, before CFZT came along, I used NGROK and also left that OFF with a telegram bot command that let me turn it on and off remotely.
Sadly, the Internet has become a battleground over the years and especially over the last few years where we have open digital warfare between countries. This hybrid warfare is not theoretical and not something that "happens to someone else". I'm afraid it is very real and present.
Thankfully, for most of use, again, some sensible precautions are about all we need.
PS: Anyone else been targeted with fake SMS messages recently? I've had a few, specifically Binance. They ask you to ring a number if the attempted login or sell instruction wasn't you. Stay sharp out there everyone! 
It can be done pretty easily.
- Make the settings file immutable with
sudo chattr +i settings.js - Disallow sudo for the Node-red user.
If you also make the flows file immutable I think Node-red still works but nobody can deploy changes, so it's effectively read-only.
2 Likes
