Protecting a lock switch securely with MySensors and Domoticz
-
@monte Hmm, not a bad hack and easy one too. However, when using mobile devices and the maximum of ten choices in the dummy selector you need to use drop-down menu. Not very user friendly for pin input... Going to have this as a backup idea anyway. :)
@jkandasa What I understand reverse proxy is a good solution when you don't have dozens of ESP8266 nodes already directly connected to Domoticz as Mysensors LAN gateways or...they use port 5003 and I should reverse proxy only the web gui port, right? In that case wouldn't that mean that every time I open Domoticz from any intranet device (mobile, laptop, pc), it would require authentication unless...I would define static IPs to all of them and whitelist them...?
@sushukka According to https://www.domoticz.com/wiki/Application_Settings#Local_Networks
you can setup your domoticz to be used without protection if your nodes uses a internal network (192.168.. etc)
Local Networks
The Local Networks setting lets you define the source networks for which Domoticz will not request a login. Wildcards (*) and multiple networks separated by semicolons (;) may be entered. -
@monte Hmm, not a bad hack and easy one too. However, when using mobile devices and the maximum of ten choices in the dummy selector you need to use drop-down menu. Not very user friendly for pin input... Going to have this as a backup idea anyway. :)
@jkandasa What I understand reverse proxy is a good solution when you don't have dozens of ESP8266 nodes already directly connected to Domoticz as Mysensors LAN gateways or...they use port 5003 and I should reverse proxy only the web gui port, right? In that case wouldn't that mean that every time I open Domoticz from any intranet device (mobile, laptop, pc), it would require authentication unless...I would define static IPs to all of them and whitelist them...?
@sushukka We can define IP based authentication on nginx.
Have a look at these blogs,
https://www.nginx.com/resources/admin-guide/restricting-access-auth-basic/
https://www.booleanworld.com/set-basic-http-authentication-nginx/ -
@sushukka According to https://www.domoticz.com/wiki/Application_Settings#Local_Networks
you can setup your domoticz to be used without protection if your nodes uses a internal network (192.168.. etc)
Local Networks
The Local Networks setting lets you define the source networks for which Domoticz will not request a login. Wildcards (*) and multiple networks separated by semicolons (;) may be entered.@smilvert Domoticz local network exception is already in place. The initial problem was that there is a small risk to have someone hacking your wifi hence being in your local network.
@jkandasa Could this be done also on port level so that you could define access whitelist only for Domoticz web gui port but at the same time not touching "MySensors ESP8266 5003 ports" which are also accessing directly Domoticz?
-
@smilvert Domoticz local network exception is already in place. The initial problem was that there is a small risk to have someone hacking your wifi hence being in your local network.
@jkandasa Could this be done also on port level so that you could define access whitelist only for Domoticz web gui port but at the same time not touching "MySensors ESP8266 5003 ports" which are also accessing directly Domoticz?
@sushukka Sry. Didn't read your first post completely :(
Btw I have a plan for building a "IOT"-network (runs on a different VLAN and a different ssid) in my house. That wouldn't help you with the WPA2 security but the key will not be shared with others at least. You can also white list all clients on that subnet in Domoticz.
-
@smilvert Domoticz local network exception is already in place. The initial problem was that there is a small risk to have someone hacking your wifi hence being in your local network.
@jkandasa Could this be done also on port level so that you could define access whitelist only for Domoticz web gui port but at the same time not touching "MySensors ESP8266 5003 ports" which are also accessing directly Domoticz?
-
Update: Finally got this project finished! As soon as there are some mechanic involved + it has to be super reliable, things starts to get complicated. However, now it's done and works fine.
To this Domoticz/Wifi-hacking dilemma there were pretty easy workaround, which I didn't in my blindsight understand in the beginning: on Domoticz settings you can specify also fully defined IP addresses on allowed networks field. Of course the tooltip says networks and network ranges, but nothing prevents you to use straight IP addresses. So the solution was easy. Just define static IP addresses to the router for the selected devices and then define them in the Domoticz allowed networks field and voila! Now if there are some non defined IP address trying to access Domo, they will be prompted with userid and password and the normal household mobiles/pads/mydomo appliances can use Domo as before.
-
Update: Finally got this project finished! As soon as there are some mechanic involved + it has to be super reliable, things starts to get complicated. However, now it's done and works fine.
To this Domoticz/Wifi-hacking dilemma there were pretty easy workaround, which I didn't in my blindsight understand in the beginning: on Domoticz settings you can specify also fully defined IP addresses on allowed networks field. Of course the tooltip says networks and network ranges, but nothing prevents you to use straight IP addresses. So the solution was easy. Just define static IP addresses to the router for the selected devices and then define them in the Domoticz allowed networks field and voila! Now if there are some non defined IP address trying to access Domo, they will be prompted with userid and password and the normal household mobiles/pads/mydomo appliances can use Domo as before.
-
@sushukka don't you think that if someone could hack your wifi network, he will be able as well to change his ip and/or mac address to access domoticz. Both addresses are far easier to change than to crack WPA2 password in the first place.
@monte Good note. However, I draw the line on this level. My DHCP range is whole different than static IP range and in static range the Domoticz allowed adresses are quite arbitrary. Also Domo port is not any easy guessable common port. So to break in "cleanly" would take quite some time. Breaking in with "traditional" methods would be hundred times faster. :)
-
@monte Good note. However, I draw the line on this level. My DHCP range is whole different than static IP range and in static range the Domoticz allowed adresses are quite arbitrary. Also Domo port is not any easy guessable common port. So to break in "cleanly" would take quite some time. Breaking in with "traditional" methods would be hundred times faster. :)
-
Then you need to know what to do with the open ports, and that nmap does not tell you anything
@gohan well, we assume that someone has intention to hack his smart lock to enter his home. I believe the probability of this is rather low but if we rely purely on luck and probability, we don't need even to set password on domoticz to protect it from unauthorized clients, because in this case we won't have any. But if we are developing secure system, then we must close any vulnerability we can assume, otherwise it can't be called "secure".
EDIT: you don't need to be a security specialist to just use google: https://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940 -
@gohan well, we assume that someone has intention to hack his smart lock to enter his home. I believe the probability of this is rather low but if we rely purely on luck and probability, we don't need even to set password on domoticz to protect it from unauthorized clients, because in this case we won't have any. But if we are developing secure system, then we must close any vulnerability we can assume, otherwise it can't be called "secure".
EDIT: you don't need to be a security specialist to just use google: https://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940@monte True but one need to draw a line to some level. Thing is that in this case the hacker would need to stay close proximity of the house and that would be recorded to security cameras I have around the property. In some crowded apartment building the situation would be a whole lot different. In that case I probably wouldn't have permission to mess with the lock or at least I wouldn't allow any remote functionality with it. But just speculating...remote lock functionality on highly crowded area...MySensors+arduino signing but not cryptography -> maye nah, ESP8266 with WPA2 maybe good enough, RaspBerry or some miniLinux would give lots of options, but not realtime systems, maybe not that reliable stepper etc. handling anymore. HW level should be anyway easy to make secure enough, but controller like Domoticz could be the weak link. Maybe just force authentication to Domo everytime. It seems to prevent also direct REST calls as it should.
-
@monte True but one need to draw a line to some level. Thing is that in this case the hacker would need to stay close proximity of the house and that would be recorded to security cameras I have around the property. In some crowded apartment building the situation would be a whole lot different. In that case I probably wouldn't have permission to mess with the lock or at least I wouldn't allow any remote functionality with it. But just speculating...remote lock functionality on highly crowded area...MySensors+arduino signing but not cryptography -> maye nah, ESP8266 with WPA2 maybe good enough, RaspBerry or some miniLinux would give lots of options, but not realtime systems, maybe not that reliable stepper etc. handling anymore. HW level should be anyway easy to make secure enough, but controller like Domoticz could be the weak link. Maybe just force authentication to Domo everytime. It seems to prevent also direct REST calls as it should.
@sushukka i agree with your point. I just wanted to bring light to some aspects that might be out of your view. Before you make any choice about security you better know what the choices are :) Last advice, google info about your wifi router, if it has any known vulnerabilities that would allow to hack it from outside without much effort.
-
@monte Hmm, not a bad hack and easy one too. However, when using mobile devices and the maximum of ten choices in the dummy selector you need to use drop-down menu. Not very user friendly for pin input... Going to have this as a backup idea anyway. :)
@jkandasa What I understand reverse proxy is a good solution when you don't have dozens of ESP8266 nodes already directly connected to Domoticz as Mysensors LAN gateways or...they use port 5003 and I should reverse proxy only the web gui port, right? In that case wouldn't that mean that every time I open Domoticz from any intranet device (mobile, laptop, pc), it would require authentication unless...I would define static IPs to all of them and whitelist them...?
