Securing Domoticz – fail2ban
Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.
This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be accessed. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.
I found a great YouTube video that explains how and why brute force attack works and why this is a threat to your systems:
Ultimately, security it is and remains your own responsibility!
This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!
This tutorial has been verified with:
Domoticz 2020.1
Prerequisites
- Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
https://sancla.com/domoticz/raspberry-pi-4-with-domoticz/ - Basic networking and Linux knowledge.
Tested with
- Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
- Raspbian Buster Lite 4.19, Februari 2020
- Domoticz Stable 2020.1 (compile date 22-3-2020)
Fail2ban (brute force protection)
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Basically, if you enter the wrong password a few times, you are blocked from the server for a short period of time. This feature protects Domoticz from a person or script (hackers/script kiddies) from guessing your username and password.
This addition is extremely important in properly protecting Domoticz!
However…
Enable logging wears out your SD card faster!
On a Raspberry Pi (with SD Card) activating the log would not be a good idea, it will wear out the SD Card quickly.
This is much less of a problem if you run Domoticz on a Raspberry Pi with a external SSD harddisk (faster and more stable) or on a different platform such as a Intel NUC or a virtual machine…
There is another way, writing your log files to RAM. The downside is that if you reboot or power cycle your Raspberry, you lose your log files. However, fail2ban has it’s own files and keeps any bans active after reboot. See this topic for more information on how to write log to RAM, truncate it etc. Instead of only 1MB, give it 256MB.
And configurate the logrotate with minimal settings (rotate 1, daily instead of weekly).
Should to apply RAM memory for this guide, replace any /tmp/domoticz.txt or /tmp/domoticz*.txt
with
/var/tmp/domoticz.txt or /tmp/domoticz*.txt
in the configurations.
First, connect to your Domoticz with SSH and establish a terminal session
To start we need to enable logging for the webserver. When we enable this, the webserver logs every connection and authentication attempt (and more), including the failed attempts that we want to capture.
Be aware though, once we enable logging, we also need to configure a way to cleanup old logs. Should we forget that, the performance degrades over time as the log files keeps growing with limits.
Enabling logging
Let’s start with enabling logging for the web server that serves Domoticz:
sudo nano /etc/init.d/domoticz.sh
Edit the file and make sure there is no # in front of the last line (With # the line is commented out and not active).
DAEMON_ARGS="$DAEMON_ARGS -www 8080" DAEMON_ARGS="$DAEMON_ARGS -sslwww 443" DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"
Remove the # in front of DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"
Save the file, and restart Domoticz with:
sudo service domoticz restart
Check your /tmp/ folder for the correct setup: ls /tmp/
You should see your domoticz.txt if all was done correct.
Use the following commands to display the content of the logfile in your console:
cat /tmp/domoticz.txt
Configure logrotate
Now, over time these log files will continue to grow if we do not clean them up over time. For this, we configure the function “logrotate”. Logrotate is a standard part of the Debian and Ubuntu distributions and specially meant for the timely clearing of old log files.
To configure this function we need to tell logrotate where to look for the logfiles and how to rotate them.
sudo nano /etc/logrotate.d/domoticz
Paste the following configuration into your console and save the file with CTRL-S and CTRL-X:
/tmp/domoticz*.txt {
rotate 3
weekly
minsize 1M
maxsize 64M
missingok
notifempty
delaycompress
postrotate
invoke-rc.d domoticz.sh restart > /dev/null
endscript
}
It should look like this:
Install fail2ban
Since we have fully configured the logging part, it’s time to install fail2ban, run the following commands:
sudo apt update -y
sudo apt install fail2ban -y
Configure fail2ban
Once the package is installed we still need to configure it and tell fail2ban what logs it needs to monitor and protect. Therefore, we need to edit the jail.local file:
To configure the jail.conf file, run the following command and after editing, save and exit the file with CTRL-S + CTRL-X:
sudo nano /etc/fail2ban/jail.conf
Halfway in the configuration file, you could edit these configuration switches. The default settings are perfectly okay if you are uncomfortable with this.
- ignoreip = 127.0.0.1
These IP address(es) are exempted from fail2ban. I can be useful to add some trusted IP addresses or local networks here. Separate then with a comma sign. You need to use the CIDR notation. For example: ignoreip = 127.0.0.1/8,192.168.0.0/24.
You need to remove the “#” sign in front to enable this! - bantime = 10m
This is the default ban time in seconds that an IP address is banned. By default this is configured as 10m (10 minutes) - maxretry = 5
Maximum number of times that you can try an incorrect username or password before the IP address is banned. By default this is configured as “5”
In my example, my configuration file looks like this:
Next is to configure fail2ban to look for the Domoticz log files.
Run the following command to start creating a configuration file:
sudo nano /etc/fail2ban/jail.local
We assume that u use a default port configuration with port 8080 for HTTP and port 443 for HTTPS. Should you use different ports, change the configuration below accordingly.
Add the following code to the file to include the monitoring of the Domoticz log files:
[domoticz]
enabled = true
port = 443,8080
filter = domoticz
logpath = /tmp/domoticz.txt
maxretry = 3
findtime = 3600
Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.
Interpreting the Domoticz log files
Fail2ban is configured and is looking at the Domoticz log file. However, we still need to tell fail2ban how to interpret the log files. Create a fail2ban filter configuration with the following command:
sudo nano /etc/fail2ban/filter.d/domoticz.conf
And apply the following configuration:
# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !
Error: Failed login attempt from <HOST> for '.*' !
Error: \[web:8080\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)
Error: \[web:443\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)
#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Eventually it looks like the example below. Save and close the file with key combination “CTRL+O” and close the editor with “CTRL-X”.
Now we are all set, fail2ban is configured. To make sure all starts working as expected, let’s do restart of the fail2ban services with:
sudo service fail2ban restart