Securing Domoticz…

This post is about securing our Domoticz installation, should the need arise. There are several options for securing Domoticz. This how-to is divided into several separate how-to’s, each with its own option.

This article will be expanded over time with new how-to’s to protect Domoticz. Because this involves a lot of work, they are not immediately available, this takes some time. Thank your patience and understanding. Sign up for updates to get notified with new guides and how-to’s, should you wish to follow my endeavors.

In principle, the developers of Domoticz indicate that it is not advisable to access Domoticz directly on the internet. Domoticz would provide insufficient security for this and has not been extensively developed and tested in this area. But sometimes we the users see it differently and we see a need to do this anyway. Sometimes, we like to break rules :-).

Of course you could implement a VPN (LINK) solution yourself as an alternative, but this is often quickly complex. And therefore not always desirable or within reach.

If we still want to access Domoticz on the internet, let’s see if we can do this as safely as possible. This guide does not offer you an absolute guarantee but will considerably increase the safety of your Domoticz setup.

There are a number of steps that we can take that contribute to this:

  • Enable authentication in Domoticz
  • Implement fail2ban (brute force protection)
  • Configure your firewall (NAT port forwarding)
  • Provide extra security with a Let’s Encrypt SSL certificate
  • Change the root and pi user password (thanks Peter for the feedback!)
  • How to check your logs
  • Make back-ups!

Ultimately, security is and remains your own responsibility!
Should you at any moment not feel fully comfortable with these guides: Consider simply not to connect Domoticz to the internet…

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

  • Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
  • https://www.sancla.com/domoticz/raspberry-pi-4-with-domoticz/
  • For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
  • For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Authentication – LINK

This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.

Fail2ban – LINK

This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be used to access your Domoticz. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.

READ MORE

Access your Domoticz folder from Windows

This post is about gaining samba access to our Domoticz installation. With Samba access, we can read, manipulate and backup our Domoticz files directly from Windows with our default file explorer.

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Step 1: Install Samba

Connect with SSH to your Domoticz installation and follow these steps. Samba is installed and configured rather quickly so we should be done in no time…

Let’s start by installing Samba with the following commands:

sudo apt update && sudo apt install samba samba-common-bin cifs-utils -y

During installation you get the question if you wish to enable WINS. Although I know about only a handful occasions where this is still necessary (legacy situations), you do not need it in this case. WINS is a dinosaur from Microsoft that you should not need anymore…

Samba server and utilities configuration
Samba server and utilities configuration

Step 2: Create a dedicated samba account

The next step is to create a user account for authentication later on. For this example we are going to create the user “pi_samba” with password “sancla.com”.

sudo useradd pi_samba
sudo smbpasswd -a pi_samba
Creating the dedicated samba account
Creating the dedicated samba account

Step 3: Configure samba

Add the following lines to the samba “smb.conf” file. You can do this with the nano editor by executing the following command:

sudo nano /etc/samba/smb.conf

Next is to add these lines to the smb configuration file. Scroll all the way down and add the configuration lines below. If you have selected a different username at step 2, make sure to change this “valid users = ” value in below example. This configuration example gives you access to the “/home/pi” folder and not the full Raspbian root.
You can save the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

[pi]
  browseable = yes
  writeable = yes
  path = /home/pi/
  revalidate = yes
  comment = Share to pi home folder
  valid users = pi_samba
  create mask=0777
  directory mask=0777
  available = yes

Should you wish to gain access to the root of your raspberry pi, you could add (or replace above example) with the following configuration:

[root]
  browseable = yes
  writeable = yes
  path = /
  revalidate = yes
  comment = Share to root
  valid users = pi_samba
  create mask=0777
  directory mask=0777
  available = yes

Your configuration file should resemble something like this (in this example I included the root configuration):

smb configuration file example
smb configuration file example

Step 5: Restart the service

Finally, before we connect to our Raspberry Pi Samba share, we need to restart the samba service so that it loads in our configuration changes.

sudo systemctl restart smbd

Step 4: Open shares with Windows Explorer

Now, in Windows you can use your regular Windows Explorer to access the network shares we just created. You can open Explorer like your are used to, but it is also possible with the key combination ” ⊞ Win + E”. Now surf in the address bar to your raspberry pi with the IP address like \\<ip-address> .
In my example the IP address of my Raspberry PI is 10.1.3.51, so I enter “\\10.1.3.51”.

When you try to open one of the shares we created, Windows asked your to authenticate. You can do so with the “pi_samba” user we created earlier on.

And we, we have access :-)!

READ MORE

Securing Domoticz – fail2ban

Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.

This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be accessed. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.

I found a great YouTube video that explains how and why brute force attack works and why this is a threat to your systems:

Ultimately, security it is and remains your own responsibility!

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Fail2ban (brute force protection)

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Basically, if you enter the wrong password a few times, you are blocked from the server for a short period of time. This feature protects Domoticz from a person or script (hackers/script kiddies) from guessing your username and password.

This addition is extremely important in properly protecting Domoticz!
However…

Enable logging wears out your SD card faster!

On a Raspberry Pi (with SD Card) activating the log would not be a good idea, it will wear out the SD Card quickly.

This is much less of a problem if you run Domoticz on a Raspberry Pi with a external SSD harddisk (faster and more stable) or on a different platform such as a Intel NUC or a virtual machine…

There is another way, writing your log files to RAM. The downside is that if you reboot or power cycle your Raspberry, you lose your log files. However, fail2ban has it’s own files and keeps any bans active after reboot. See this topic for more information on how to write log to RAM, truncate it etc. Instead of only 1MB, give it 256MB.
And configurate the logrotate with minimal settings (rotate 1, daily instead of weekly).
Should to apply RAM memory for this guide, replace any /tmp/domoticz.txt or /tmp/domoticz*.txt
with
/var/tmp/domoticz.txt or /tmp/domoticz*.txt
in the configurations.

First, connect to your Domoticz with SSH and establish a terminal session

To start we need to enable logging for the webserver. When we enable this, the webserver logs every connection and authentication attempt (and more), including the failed attempts that we want to capture.

Be aware though, once we enable logging, we also need to configure a way to cleanup old logs. Should we forget that, the performance degrades over time as the log files keeps growing with limits.

Enabling logging

Let’s start with enabling logging for the web server that serves Domoticz:

sudo nano /etc/init.d/domoticz.sh

Edit the file and make sure there is no # in front of the last line (With # the line is commented out and not active).

DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"
DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Remove the # in front of DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Logging enabled with /etc/init.d/domoticz.sh
Logging enabled with /etc/init.d/domoticz.sh

Save the file, and restart Domoticz with:

sudo service domoticz restart

Check your /tmp/ folder for the correct setup: ls /tmp/ You should see your domoticz.txt if all was done correct.

Use the following commands to display the content of the logfile in your console:

cat /tmp/domoticz.txt
Example output cat /tmp/domoticz.txt
Example output cat /tmp/domoticz.txt

Configure logrotate

Now, over time these log files will continue to grow if we do not clean them up over time. For this, we configure the function “logrotate”. Logrotate is a standard part of the Debian and Ubuntu distributions and specially meant for the timely clearing of old log files.

To configure this function we need to tell logrotate where to look for the logfiles and how to rotate them.

sudo nano /etc/logrotate.d/domoticz

Paste the following configuration into your console and save the file with CTRL-S and CTRL-X:

/tmp/domoticz*.txt {
        rotate 3
        weekly
        minsize 1M
        maxsize 64M
        missingok
        notifempty
        delaycompress
        postrotate
                invoke-rc.d domoticz.sh restart > /dev/null
        endscript
}

It should look like this:

Example of /etc/logrotate.d/domoticz
Example of /etc/logrotate.d/domoticz

Install fail2ban

Since we have fully configured the logging part, it’s time to install fail2ban, run the following commands:

sudo apt update -y
sudo apt install fail2ban -y
Installing fail2ban
Installing fail2ban

Configure fail2ban

Once the package is installed we still need to configure it and tell fail2ban what logs it needs to monitor and protect. Therefore, we need to edit the jail.local file:

To configure the jail.conf file, run the following command and after editing, save and exit the file with CTRL-S + CTRL-X:

sudo nano /etc/fail2ban/jail.conf 

Halfway in the configuration file, you could edit these configuration switches. The default settings are perfectly okay if you are uncomfortable with this.

  • ignoreip = 127.0.0.1
    These IP address(es) are exempted from fail2ban. I can be useful to add some trusted IP addresses or local networks here. Separate then with a comma sign. You need to use the CIDR notation. For example: ignoreip = 127.0.0.1/8,192.168.0.0/24.
    You need to remove the “#” sign in front to enable this!
  • bantime = 10m
    This is the default ban time in seconds that an IP address is banned. By default this is configured as 10m (10 minutes)
  • maxretry = 5
    Maximum number of times that you can try an incorrect username or password before the IP address is banned. By default this is configured as “5”

In my example, my configuration file looks like this:

Configured /etc/fail2ban/jail.local
Configured /etc/fail2ban/jail.local

Next is to configure fail2ban to look for the Domoticz log files.

Run the following command to start creating a configuration file:

sudo nano /etc/fail2ban/jail.local 

We assume that u use a default port configuration with port 8080 for HTTP and port 443 for HTTPS. Should you use different ports, change the configuration below accordingly.

Add the following code to the file to include the monitoring of the Domoticz log files:

[domoticz]
enabled = true
port = 443,8080
filter = domoticz
logpath = /tmp/domoticz.txt
maxretry = 3
findtime = 3600 

Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

Configured /etc/fail2ban/jail.local configuration file
Configured /etc/fail2ban/jail.local configuration file

Interpreting the Domoticz log files

Fail2ban is configured and is looking at the Domoticz log file. However, we still need to tell fail2ban how to interpret the log files. Create a fail2ban filter configuration with the following command:

sudo nano /etc/fail2ban/filter.d/domoticz.conf

And apply the following configuration:

# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !	
            Error: Failed login attempt from <HOST> for '.*' !
            Error: \[web:8080\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)
            Error: \[web:443\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)

#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

Example of /etc/fail2ban/filter.d/domoticz.conf
Example of /etc/fail2ban/filter.d/domoticz.conf

Now we are all set, fail2ban is configured. To make sure all starts working as expected, let’s do restart of the fail2ban services with:

sudo service fail2ban restart

More information

https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

https://www.domoticz.com/wiki/Setup_fail2ban

READ MORE