Add a supplementary security layer to OpenHAB


i’m using OpenHAB for some months, thanks to all the participants to this great software, so as to add a little contribution to the community I wrote an article about how to add another security layer to OpenHAB.
In fact I was a little bit afraid about opening my network so as to have access outside my home, after a lot of research I found several ways to protect my network, one of them was to configure fail2ban with OpenHAB so as to ban IP that fails authenticate, with the help of some fail2ban contributors we succeeded having a nice solution.

Here is the details


A minor quibble, but out of the box rules are written in a Domain Specific Language built on Xbase, not Java. Otherwise an excellent article.

Thanks Rich, it is corrected

I wouldn’t open my network even having additional security layer implemented. It is wrong approach in any case. It is better to configure a VPN server and use it whenever you need to connect to your home network from the internet. I am using openvpn on openwrt router and have no problems with accessing OH from the outside.

It is all a decision based on risk where risk = likelihood * impact. Only an individual can determine their tolerance for risk.

For many, the risk of having one or two ports open to the Internet is worth the benefit of not being required to use a cloud service like my.openhab or go through the pain of setting up an OpenVPN server.

For others the risk is way beyond anything they are willing to take on.

Providing a middle ground with something like fail2ban is be a nice middle step step for those who are unwilling to rely solely on openHAB’s built in security but unwilling or unable to set up their own OpenVPN instance and I applaud the addition of this approach to the tool box.

Just added openHAB to my fail2ban setup too. :smiley:

I got a VPN set up too, and I can see in the fail2ban log it has been under attack a few times already, and the openHAB server has not, yet.

At first I just wanted to connect to openHAB through the vpn, but it quickly got very annoying first having to connect to the vpn form the phone, wait for it to connect, then change to the browser or app, and last press the button to open the garage door.

I then tried my.openhab, but that too was both slow, and in the few hours I was testing it, I was unable to connect to it multiple times.

So for now I just roll with fail2ban and give a few attempts to get the code right, then a one hour ban afterwards. With the random generated user and password I use, that would take long enough time to break through. :wink:

Well, you are right about individual decision. I would not open my network to the internet, but I used to have ssh port open some time ago.

Setting up an OpenVPN is not such pain as you are describing, it is a matter of using the right tutorial :wink:

I frankly found it to be a major pain and I do this sort of stuff for a living. Almost as steep of a learning curve as openHAB itself, particularly if you have a heterogeneous collection of devices (Android, iPhone, Windows, Mac, and Linux), self signed certs, and a crazy venn diagram of things for what each device supports (e.g Android supports TUN but not TAP, or is it the other way around?).

It isn’t a perfect solution either, particularly when moving between networks (e.g. moving out of range of wifi and switching over to LTE and vise versa). So if you have a use case like mine where I use it to open the garage when I get home, that delayed switchover and sometimes failed switchover renders that capability flakey at best and unusable at worst (definitely doesn’t pass the wife test for sure).

I still have openVPN installed and use it. But I also have ssh exposed (but only allow cert logins) so I can get to it easier and openHAB exposed so we can open the garage. I have other protections in place to detect a breach so for me the risk is worth the benefit.

I am using openVPN only from Windows (rarely) and Android, maybe this is the answer. Regarding garage doors, why don’t you use some remote control for this? Using a phone IMO is not so convenient.

Long story short… The remote is broken and the opener is too old to get a
replacement. So it is automated it or buy a new opener. I had the parts
already so I went with the cheapest option.

It really isn’t inconvenient from the Android at all. I use Tasker and
AutoLocation so I get a popup when ever I approach the house. It does take
a couple of extra clicks from the iPhone (which I’m working on) but it is a
ton less inconvenient than having a remote that doesn’t work at all or
spending $300+ to replace an otherwise perfectly survivable opener.