This post is about securing our Domoticz installation, should the need arise. There are several options for securing Domoticz. This how-to is divided into several separate how-to’s, each with its own option.
This article will be expanded over time with new how-to’s to protect Domoticz. Because this involves a lot of work, they are not immediately available, this takes some time. Thank your patience and understanding. Sign up for updates to get notified with new guides and how-to’s, should you wish to follow my endeavors.
In principle, the developers of Domoticz indicate that it is not advisable to access Domoticz directly on the internet. Domoticz would provide insufficient security for this and has not been extensively developed and tested in this area. But sometimes we the users see it differently and we see a need to do this anyway. Sometimes, we like to break rules :-).
Of course you could implement a VPN (LINK) solution yourself as an alternative, but this is often quickly complex. And therefore not always desirable or within reach.
If we still want to access Domoticz on the internet, let’s see if we can do this as safely as possible. This guide does not offer you an absolute guarantee but will considerably increase the safety of your Domoticz setup.
There are a number of steps that we can take that contribute to this:
- Enable authentication in Domoticz
- Implement fail2ban (brute force protection)
- Configure your firewall (NAT port forwarding)
- Provide extra security with a Let’s Encrypt SSL certificate
- Change the root and pi user password (thanks Peter for the feedback!)
- How to check your logs
- Make back-ups!
Ultimately, security is and remains your own responsibility!
Should you at any moment not feel fully comfortable with these guides: Consider simply not to connect Domoticz to the internet…
This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!
This tutorial has been verified with:
- Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
- For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
- For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.
- Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
- Raspbian Buster Lite 4.19, Februari 2020
- Domoticz Stable 2020.1 (compile date 22-3-2020)
Authentication – LINK
This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.
Fail2ban – LINK
This specific how-to involves applying fail2ban, which protects Domoticz against brute-force attacks from the outside. Brute-force attacks can be described as multiple and quick successive guessing of credentials until there is a positive hit that can be used to access your Domoticz. Basically, fail2ban is a rate limit solution where it protects Domoticz by limiting the login attempts within a given time.