Home Home Automation Increasing NodeRED security: 5 min guide

Increasing NodeRED security: 5 min guide

How secure is your NodeRED server?

Interaction with various devices and systems inside and outside your local network is the key element of IoT and home automation. The moment you’ll take things outside of your local network you should start paying attention to the security of your connections. Don’t leave your home automation system exposed to hacks, and malicious attacks. I accidentally exposed by DNS server in one of my previous videos which sparked some security-related write-ups and this article too. Increase NodeRED security with these simple steps.

NodeRED security

Let’s start with the basics. Change your Raspberry Pi password. No matter how good is your NodeRED security, if you leave your SSH access exposed, all the hard work is for nothing. If your Raspberry Pi is secured already, open up the NodeRED settings file:

cd ~/.node-red
sudo nano settings.js

Just before you open this file however it’s good to generate the hash (scrambled password string) for your password(s). You will need the following:

  • NodeRED admin access (username, password)
  • NodeRED HTTP & flow access (username, password)
  • NodeRED Static Auth (optional)

NodeRED admin
This is is your access to the NodeRED editor
NodeRED HTTP and flow
This is your authentication for HTTP requests and access to nodes (ie: Dashboard UI access)
NodeRED Static Auth
Authentication for static content like hosted pages etc.

To generate hashes, you can use the terminal command: node-red-admin hash-pw or use this link in a browser if you rather copy and paste the hashes from a computer. You will need a minimum one set, but creating a different username/password combination for your UI elements accessible to others is STRONGLY RECOMMENDED!

Before we jump into the credentials, consider changing the default PORT number (1880). It will make life harder for anyone trying to spam random IP addresses:

module.exports = {
// the tcp port that the Node-RED web server is listening on
uiPort: process.env.PORT || 1880,

edit that port number, make sure it’s in use already. Also, remember to set up the correct port forwarding rules if the port has been changed.

NodeRED security – login credentials

It’s time to add the login credentials. Open the settings.js files and pick a username of your choice, then enter the hashed password. These are the credentials responsible for logging into the NodeRED.

 // Securing Node-RED
// -----------------
// To password protect the Node-RED editor and admin API, the following
// property can be used. See https://nodered.org/docs/security.html for details.
adminAuth: {
type: "credentials",
users: [{
username: "USERNAME",
password: "PASS_HASH",
permissions: "*"
}]
},

NodeRED security – HTTP and node access

In a similar fashion, edit the line responsible for the access. You will need a username and password hash. If a 3rd party issues HTTP requests to your server DON’T use the login credentials. HTTP requests will expose that password.

// To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},

NodeRED security – HTTPstatic (optional)

If you are going to serve static content, you may as well add the proper authentication there:

  // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
// the static content (httpStatic), the following properties can be used.
// The pass field is a bcrypt hash of the password.
// See https://nodered.org/docs/security.html#generating-the-password-hash
httpNodeAuth: {user:"user",pass:"pass_hash"},
httpStaticAuth: {user:"user",pass:"pass_hash"},

NodeRED security – SSL certification

Lastly, you can secure the editor, dashboard and HTTP requests sent (a very good idea since the URL contains exposed credentials) with SSL.  I have a full separate guide on how to do this, so I’m going to link it here.

Remember, once the SSL has been added to your server, you have to update all the URLs. The access, HTTP requests, and pages will start now with HTTPS not HTTP. If you use IFTTT Webhooks, and other services with hardcoded URLs, you need to update these too.

OR

Update the insecure connections using the setting.js file and redirect it to the HTTPS with this line:

// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true

Extra options – 2FA

If you want, you can apply an extra layer of security to your triggers too! I have created a two-factor authentication system for NodeRED which will issue notifications to Android device via Tasker.

Conclusion

There are a couple of more advanced options in the settings.js file. Consider them if you will. If you follow my advice from this tutorial, your NodeRED server will be more secure and harder to attack. Remember working with any external services exposes your server to attacks. Leaving it unprotected is unwise. I wrote this guide as an intro section for the NodeRED for beginners: Connectivity tutorial to make sure your first server is protected! If you are new to NodeRED – check out the guide!

PayPal

Nothing says "Thank you" better than keeping my coffee jar topped up!

Patreon

Support me on Patreon and get an early access to tutorial files and videos.

image/svg+xml

Bitcoin (BTC)

Use this QR to keep me caffeinated in style with crypto-currency

Smart Ideas with

Automate your space in with these ecosystems and integrate it with other automation services

Learn NodeRED

NodeRED for beginners: 1. Why do you need a NodeRED server?

0
To server or not to server? That's a very silly question!

Best Automation Projects

ESP8266 WIFI lights under $5

0
Your Sonoff device can't do this!

Free wireless doorbell (Amazon Dash button hack)

0
The most terrifying situation I can imagine* is missing a parcel

New Amazon Dash Buttons

0
You can teach new buttons old tricks!

ESP8266 ceiling light – demo

0
Testing the ESP8266 as a WIFI light controller

Try Tasker and Raspberry Pi for your home automation needs!

0
Raspberry Pi can help you with your Tasker profiles

Smart Home

Best USB-C hack ever!

0
How to add USB-C charging to your old laptop without ruining it. USB-C hack for Lenovo Yoga

Sonoff Micro PLUS (USB-C hardware mod)

0
Sonoff Micro PLUS is a small modification that adds an USB-C port to Sonoff Micro - to make it even more useful!

Nora – Google Assistant in NodeRED

0
Integrate Google Assistant with NodeRED thanks to Nora - NodeRED home automation

“Inching” like a PRO (nodeRED edition)

0
Learn how to add inching to anything in NodeRED

Smart overnight charging with Tasker

0
Still keeping your phone plugged in overnight? Try smarter overnight charging with this profile