Node-Red Security – To Be or not To Be

You’ll find plenty of articles on adding or improving the security of Node-Red and countless other programs and utilities. What are not quite so prevalent are articles about removing security.

I’ve been using Node-Red for my home automation for years now and frequently get annoyed, as the dashboard security, when used on my mobile, often forgets the password or even the username and only this weekend in a call with my friend Mr Shark in Italy (Antonio) did we hit on the (presumably obvious) way around this.

/*
adminAuth: {
type: "credentials",
users: [{
username: "admin",
password: "$2a$0nonsenseHere/PasswordChangedToProtectTheInnocent/ruBBish",
permissions: "*"
}]
},

httpNodeAuth: {user:"user", pass:"$2a$0nonsenseHere/9eJMs4ZjeeAzeQ/BlegNottheRealPassword"},
*/

So – the code above has always (as far back as I remember) been in my Node-Red settings.js file (in the /home/pi/.node-red folder)

I stopped Node-Red, commented out the code as you see above, with a single set of C-style block-comment delimiters, saved the file (as user pi) and then restarted Node-Red. It WORKS. But why would anyone want to open up their Node-Red to all and sundry on the network or for that matter, the outside world?

Simple. No-one in my household of two people + 3 cats would have any idea of the relevance of the Node-Red access ports or how to find them (just as I have no idea where the my wife hides many of the household utensils) – as for the outside world, the ONLY way to access any of my network is via the VPN I have on my kit – and I’m the only one with access to that. No I don’t use standard ports.

Linux itself seems to be built on the foundation that you are at school and have a “supervisor” or are at work with a network manager. Well, can I be the only person in the world (5 million SMEs in the UK alone, many of whom have few if any employees other than the person who owns the business) who has never worked FOR anyone, never had a supervisor and never had my own handy network administrator (though I do lean on certain blog subscribers occasionally when I get stuck).

The general idea seems to be based on the premise that you, the user are basically computer-illiterate but you have access to someone who is not. I am not and I do not. I run my home automation for me, no-one else will go near it (the cats can’t reach the keyboard) and hopefully thanks to the VPN, no-one outside of my network has access. Did I EVER need any of that security palaver? apparently not.

Can it really be that simple?

The answer of course, is no – and my gratitude to those of you who have responded in the blog and many more who got in touch privately. If there is a security breach in the VPN then removing the passwords on Node-Red could indeed open up the system to abuse – so for now in the light of comments received I have re-instated that extra layer of security and anyone interested in the above might like to consider my doubts on the subject, tempting as it is to simplify security – but that does beg the question – how do we ensure that there ARE no issues with the likes of PiVPN- I keep it fully up to date – what else can be done to make sure it does it’s job at all times? Thoughts?

And please don’t suggest more complicated-to-set-up VPN solutions – but ideas for keeping PiVPN as secure as possible at all times would be most welcome.