A little extra security(Fail2Ban) plus Node Red auth

Since most of you(like me), will forward ports on your router so you will have access to the Banana from outside your local network in various ways, a good first step towards security is to avoid brute force attacks and specific patterns. This way for example, if anyone fails 3 times in a row to successfully login through SSH his IP will be banned.

For that we will need to install Fail2Ban. This is pretty straightforward with:

and you are done! This comes preconfigured for services like SSH and Apache(although you need to enable the Apache one).

As you can see with

If you want to make any changes, do so. To enable Fail2Ban for Nginx though, we need to make a new rules in jail.local(whatever is in this file overrides the jail.conf) and make the proper settings there.

Sergej Mueller in his Github page has predefined rules. You can download the zip file from there, and then copy his jail.local to your /etc/fail2ban and also the 4 files from the filter.d folder inside /etc/fail2ban/filter.d or if you don’t have easy access(ftp or samba), just make new files with nano and paste their code.

Show jail.local for nginx

[collapse]

For the other four files, first go into the subdirectory:

And let’s make files and copy/paste their code.

Show nginx-badbots.conf

 

[collapse]

Show nginx-badrequests.conf

[collapse]


Show nginx-noscript.conf

[collapse]


Show ssh-auth.conf

[collapse]

After we have all the proper files at their proper location, let’s restart the service and we are all set.

So now we have increased server security, with a minimal resource cost. Not bad at all.

Node Red Auth

If you followed the instructions of the previous post, you should have Node Red installed on your Banana Pi. There is an issue with the default installation though, as it requires no authentication at all and if you allow access to Node Red from the internet this can be a major problem.

Thankfully, getting Node Red UI to ask for a username and password to get access is pretty easy.

But first we need to have the MD5 hash of our desired password. To get that, simply run this command:

which will return a string of characters. Copy that string and let’s put it in our settings.js.

Here, apart from the uiPort that you can change from 1880 to something else, search for this line:

uncomment it, set as user your desired username and paste that MD5 hash that you copied earlier as the pass value. Restart and you are ready!