Securing Domoticz – fail2ban

Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.

This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be accessed. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.

I found a great YouTube video that explains how and why brute force attack works and why this is a threat to your systems:

Ultimately, security it is and remains your own responsibility!

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Fail2ban (brute force protection)

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Basically, if you enter the wrong password a few times, you are blocked from the server for a short period of time. This feature protects Domoticz from a person or script (hackers/script kiddies) from guessing your username and password.

This addition is extremely important in properly protecting Domoticz!
However…

Enable logging wears out your SD card faster!

On a Raspberry Pi (with SD Card) activating the log would not be a good idea, it will wear out the SD Card quickly.

This is much less of a problem if you run Domoticz on a Raspberry Pi with a external SSD harddisk (faster and more stable) or on a different platform such as a Intel NUC or a virtual machine…

There is another way, writing your log files to RAM. The downside is that if you reboot or power cycle your Raspberry, you lose your log files. However, fail2ban has it’s own files and keeps any bans active after reboot. See this topic for more information on how to write log to RAM, truncate it etc. Instead of only 1MB, give it 256MB.
And configurate the logrotate with minimal settings (rotate 1, daily instead of weekly).
Should to apply RAM memory for this guide, replace any /tmp/domoticz.txt or /tmp/domoticz*.txt
with
/var/tmp/domoticz.txt or /tmp/domoticz*.txt
in the configurations.

First, connect to your Domoticz with SSH and establish a terminal session

To start we need to enable logging for the webserver. When we enable this, the webserver logs every connection and authentication attempt (and more), including the failed attempts that we want to capture.

Be aware though, once we enable logging, we also need to configure a way to cleanup old logs. Should we forget that, the performance degrades over time as the log files keeps growing with limits.

Enabling logging

Let’s start with enabling logging for the web server that serves Domoticz:

sudo nano /etc/init.d/domoticz.sh

Edit the file and make sure there is no # in front of the last line (With # the line is commented out and not active).

DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"
DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Remove the # in front of DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Logging enabled with /etc/init.d/domoticz.sh
Logging enabled with /etc/init.d/domoticz.sh

Save the file, and restart Domoticz with:

sudo service domoticz restart

Check your /tmp/ folder for the correct setup: ls /tmp/ You should see your domoticz.txt if all was done correct.

Use the following commands to display the content of the logfile in your console:

cat /tmp/domoticz.txt
Example output cat /tmp/domoticz.txt
Example output cat /tmp/domoticz.txt

Configure logrotate

Now, over time these log files will continue to grow if we do not clean them up over time. For this, we configure the function “logrotate”. Logrotate is a standard part of the Debian and Ubuntu distributions and specially meant for the timely clearing of old log files.

To configure this function we need to tell logrotate where to look for the logfiles and how to rotate them.

sudo nano /etc/logrotate.d/domoticz

Paste the following configuration into your console and save the file with CTRL-S and CTRL-X:

/tmp/domoticz*.txt {
        rotate 3
        weekly
        minsize 1M
        maxsize 64M
        missingok
        notifempty
        delaycompress
        postrotate
                invoke-rc.d domoticz.sh restart > /dev/null
        endscript
}

It should look like this:

Example of /etc/logrotate.d/domoticz
Example of /etc/logrotate.d/domoticz

Install fail2ban

Since we have fully configured the logging part, it’s time to install fail2ban, run the following commands:

sudo apt update -y
sudo apt install fail2ban -y
Installing fail2ban
Installing fail2ban

Configure fail2ban

Once the package is installed we still need to configure it and tell fail2ban what logs it needs to monitor and protect. Therefore, we need to edit the jail.local file:

To configure the jail.conf file, run the following command and after editing, save and exit the file with CTRL-S + CTRL-X:

sudo nano /etc/fail2ban/jail.conf 

Halfway in the configuration file, you could edit these configuration switches. The default settings are perfectly okay if you are uncomfortable with this.

  • ignoreip = 127.0.0.1
    These IP address(es) are exempted from fail2ban. I can be useful to add some trusted IP addresses or local networks here. Separate then with a comma sign. You need to use the CIDR notation. For example: ignoreip = 127.0.0.1/8,192.168.0.0/24.
    You need to remove the “#” sign in front to enable this!
  • bantime = 10m
    This is the default ban time in seconds that an IP address is banned. By default this is configured as 10m (10 minutes)
  • maxretry = 5
    Maximum number of times that you can try an incorrect username or password before the IP address is banned. By default this is configured as “5”

In my example, my configuration file looks like this:

Configured /etc/fail2ban/jail.local
Configured /etc/fail2ban/jail.local

Next is to configure fail2ban to look for the Domoticz log files.

Run the following command to start creating a configuration file:

sudo nano /etc/fail2ban/jail.local 

We assume that u use a default port configuration with port 8080 for HTTP and port 443 for HTTPS. Should you use different ports, change the configuration below accordingly.

Add the following code to the file to include the monitoring of the Domoticz log files:

[domoticz]
enabled = true
port = 443,8080
filter = domoticz
logpath = /tmp/domoticz.txt
maxretry = 3
findtime = 3600 

Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

Configured /etc/fail2ban/jail.local configuration file
Configured /etc/fail2ban/jail.local configuration file

Interpreting the Domoticz log files

Fail2ban is configured and is looking at the Domoticz log file. However, we still need to tell fail2ban how to interpret the log files. Create a fail2ban filter configuration with the following command:

sudo nano /etc/fail2ban/filter.d/domoticz.conf

And apply the following configuration:

# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !	
            Error: Failed login attempt from <HOST> for '.*' !
            Error: \[web:8080\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)
            Error: \[web:443\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)

#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.

Example of /etc/fail2ban/filter.d/domoticz.conf
Example of /etc/fail2ban/filter.d/domoticz.conf

Now we are all set, fail2ban is configured. To make sure all starts working as expected, let’s do restart of the fail2ban services with:

sudo service fail2ban restart

More information

https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

https://www.domoticz.com/wiki/Setup_fail2ban

READ MORE

Internal Sensors for Domoticz

Step-by-step how-to guide install the Internal Sensors on Raspberry Pi with the latest Raspbian Buster image and Domoticz.

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

As most know by now, the Raspberry Pi 4 has the reputation to run hot. Perhaps hotter then we want, even with an idle CPU with Domoticz… One way to resolve this problem is cooling this beast.

In my humble opinion, the Flirc passive cooling case has been the best accessory for the the Raspberry Pi 4 one could buy (and for only € 20,- it’s a bargin): https://www.tinytronics.nl/shop/nl/raspberry-pi/behuizingen/flirc-raspberry-pi-4-behuizing-aluminium-zwart
In this how-to we utilize this case and it has been running for over an hour at approx 40° Celsius with Domoticz, i-love-this-case!!

Flirc case for the Raspberry Pi 4
Flirc case for the Raspberry Pi 4

However, besides making sure your Raspberry Pi 4 gets proper cooling, it doesn’t hurt to monitor the temperature in Domoticz. Doing so also enables you to configure alerting if the temperature gets to high and cool down your Raspberry Pi with a big bucket of conductive water…..

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Configuring internal sensors in Domoticz

In Domoticz, go to hardware and add a new device:

  • Name: Raspberry
  • Type: Motherboard sensors
  • Data Timeout: 10 minutes
Adding the Motherboard Sensors in Domoticz
Adding the Motherboard Sensors in Domoticz

After a couple of minutes, the internal devices are starting to appear under devices. Click on the green button to enable the monitoring of the device. You can give it a any name you want, such as “Internal Temperature” for example:

Motherboard Sensor devices appearing in Domoticz
Motherboard Sensor devices appearing in Domoticz

The temperature of your Raspberry Pi is now visible in Domoticz under temperature. You can take the same steps for the other sensors should you wish to monitor them.

The internal Raspberry Pi temperature in Domoticz
The internal Raspberry Pi temperature in Domoticz with the Flirc case

As shown in above image, you can configure “Notifications” for each enabled device. So you receive a notification if your Raspberry Pi is starting to run to hot:

Configuring notifications for the internal temperature sensor in Domoticz
Configuring notifications for the internal temperature sensor in Domoticz
READ MORE

RFLINK for Domoticz

Step-by-step how-to guide install the RFLink, on a Raspberry Pi 4, with the latest Raspbian Buster image and Domoticz.

Connection will be based directly on USB, we are working on how-to guides to connect the RF-Link in different ways such as over ethernet (ser2net) or wifi (ESPEasy).

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)
  • RFLink firmware R48 (USB/MEGA)

Step 1 Connect the RFLink with USB

This is probably the most easiest step I ever included in a how-to, but just connect your RFLink to the Raspberry Pi.

However, if you haven’t used your RFLink in a long time and you aren’t sure about the firmware version, you can upgrade this to the latest version very easily.

The developers made it easy update the firmware with their (Windows) support application, it’s included with the firmware update download:
http://www.rflink.nl/blog2/download
Just connect your RFLink to your PC, run the support application “RFLinkLoader.exe”, select the included firmware and press the “Upload/Program firmware to device” button.

The RFLink support application  "RFLinkLoader.exe"
The RFLink support application “RFLinkLoader.exe”

Step 2: Configure the RFLink in Domoticz

Once you have connect the RFLink to your Raspberry Pi, go to Domoticz and then to the hardware section under Setup.

  • Name: RfLink433
  • Type: RFLink Gateway USB
  • Data Timeout: Disabled
  • Serial Port: Select the one with “Arduino” in it.
    If this doesn’t work later on, try the other ports till you found the right one.
Adding the RFLink as a hardware device in Domoticz
Adding the RFLink as a hardware device in Domoticz

Step 3: Connect devices in Domoticz

Once you have configured your hardware device, Domoticz will start automatically to recognize the device in your neighborhood once it receives a signal from it. Over time, this can get a bit messy and easily get out of hand, see step 4 for a solution.

Now, once you press a button of a 433mhz device (or any other RF kind if your RFLink supports this), RFLink will communicate that signal to Domoticz and Domoticz will automatically add the device under devices.

Example of recognized 433 devices in Domoticz
Example of recognized 433 devices in Domoticz

The biggest problem with the devices is recognizing the device in question. It’s a trail-and-error game of can give you head-aches if you live in a crowded area such as a city. However, for light switches, we have a trick. Every time you click on a ON/OFF button of your 433mhz device, the device gets an update and you will see the state change in Domoticz in 1-2 seconds.

Last Seen status in Domoticz
Last Seen status in Domoticz

After you identified all your RF devices, named and enabled them, your set and it should all work in Domoticz. Fun fact, in most area’s almost always a neighbor has a 433mhz based outdoor temperature sensor you can receive. And in most cases, they will change the batteries periodically for you, it won’t cost you a single penny!

Step 4: Disable “Accept new Hardware Devices” in Domoticz

Once you have identified and configured your sensors, it’s best to disable the auto-acceptance of new devices and remove the devices that are not yours. Domoticz provides you with a way to work around this ‘feature’ by allowing Domoticz to find and auto-recognize new devices for a short period of time only, for 5 minutes.

To disable the auto-acceptance of new devices or to enable the auto-acceptance for 5 minutes, find the “Hardware/Devices” section under Setup -> Settings.

Be aware that this also disables the recognition of new devices of other hardware devices.
If you add any new hardware or devices of any kind, you may temporary enable this setting again.

Disable the "Accept new Hardware Devices" feature in Domoticz
Disable the “Accept new Hardware Devices” feature in Domoticz

Tips & Tricks

Dipole antenne 433 Mhz from nodo-shop.nl

Sources

READ MORE