I am on openHAB 3 and have a local MQTT broker running and OH exposed on a public port (behind nginx) with a dynamic DNS service, which runs smooth for the Android app. Now I have a friend living nearby and would like to expose some data from my weather station to him and wonder what would be an easy way without much programming effort and still sufficiently robust against some external attacks. The data is not secret but still I’d prefer to not expose it completely public.
Any ideas?
I did this years ago: it is possible to configure the MQTT broker with a “ACL” Access control list (Users: you and your neighbor). With this your neighbor isn’t able to switch all your equipment.
On your router you have to forward the MQTT port 1883. And you have to have a fixed IP address or a DynDNS. Then your neighbor can access your Broker.
http://www.steves-internet-guide.com/topic-restriction-mosquitto-configuration/
Or you install a second MQTT Broker in your LAN and expose only this one to your neighbor.
My vote is for this, or you send only the messages of interest to a public/online MQTT broker.
i have a vpn based vlan between some friends and me where we exchange sensor data
This looks like a good solution, even though I hoped to find a simpler way to do that. And how robust is Mosquitto (of which MQTT borker should best be used) e. g. against attacks (DoS but also in general)? - using these services on an exposed port is something different than in the LAN behind a router.
I’d recommend using something like CloudMQTT as the “shared” MQTT Broker (sadly they don’t seem to have a free tier any more). Or set up a VPN like @holger_hees recommended (Tailscale would be super easy to set up). Or at least put the shared MQTT broker on some virtual server out there (Heroku, AWS, Azure, etc.) so you get some (not much) professional support and if it is attacked they can’t get into your other systems.
Unless you really know what you are doing, and are willing to take the effort to monitor and mitigate attacks when (not if) they occur you should not expose something on your LAN to the Internet. Not only is your system/LAN at risk, you run the risk of your system becoming a way for the baddies to attack someone else.
Beebotte has a free plan that offers unlimited channels and up to 50,000 messages per day.
I haven’t tried it, but it would fit the bill.
Thanks @rlkoshak for the advice. Running a public mosquitto instance with a separate user on a PI doesn’t look too dangerous on the other side.
But is MQTT the “best” or should I better expose a JSON file with the data via HTTP? - That should also be quite simple to read with openhab, isn’t it? We probably don’t need a lot of updates, so it could easily be polled every 15 min. This could be even hosted on the anyhow existing website and updated by my openHAB instance through HTTPS with authentication.
If your only protection is running it under a different user than if the Pi is on the same network as your other machines it is very dangerous. That barely provides any protection at all.
Anything you put on the Internet you need to consider that it’s not a matter of if, but when it becomes compromised. When it becomes compromised, it’s a matter of when not if the attacker manages to become root. Once they are root they own that machine and can use it as a jumping off point to attack your other machine. Just look at the constant stream of CVEs published on a daily basis. There may not be a vulnerability today, but there might be one tomorrow. And once a severe vulnerability is discovered for mosquitto, it’s just one short Shodan search away and every script kiddie on the internet will know you are a target ripe for the taking. And they won’t even have to do anything to find you since it’s all automated.
Even if it’s on a different vlan from your main network, your gateway is a very attractive target, a target that is often left unpatched so it has lots of vulnerabilities.
The only thing you have going for you is you’d be a target of opportunity. So most likely you’d only have all your banking credentials stolen, all your files encrypted and held for ransom, your machines turned into glowing puddles of metal (exaggeration of course) through overuse mining cryptocurrency, and/or used in a botnet to attack someone else.
That’s why it’s important to isolate stuff that is exposed to the Internet as much as possible. Ideally, nothing should accept any connections from the Internet that is on your LAN. It’s better if the two ends connect to something not on your LAN. Then, when it becomes compromised all they can do is wreck that external machine. There’s be no way to get at anything else you own.
Worth perusing:
And while those are MQTT specific, all protocols and software you would consider using would have the same problems. In truth, MQTT is pretty good from a security standpoint, if you set it up well. But setting any software up well from a security perspective is hard, even the professionals get it wrong (see the first link).
Thanks again for the long explanation. Anyhow I prefer the idea using the HTTP binding and buffering the data on an external web server as written above. Do you also have a comment on this?
If you are not exposing your LAN to the Internet then you are probably pretty safe. However, not sure what you mean by “hosted on the anyhow existing website”. If this is in fact a webserver you have running somewhere (not myopenhab.org, you can’t achieve what you want through that) that’s pretty good. The key is to not expose your LAN to the internet. Whether it’s an HTTP server or an MQTT Broker is not that important.
But you will still want to keep that web server patched and monitor it for attacks and compromise. There is no such thing as set-it-and-forget-it in this problem space.
If you’ve experience with setting up HTTP web servers this approach can be pretty easy. If not, MQTT might be easier in the long run.
An HTTP webserver would be available, but I struggle with setting up the http binding to post (or put) data to an URL. Is there any working example around for OH3? Adding an http thing was not hard, but it only fetches data using GET as I can configure, but to to make it post data on sending the item a command?
I tried something like
thing
Thing http:url:public "Wetter" [
baseURL="https://server/data.php",
contentType="application/json",
commandMethod="POST",
refresh=600] {
Channels:
Type string : local_temp "Außentemperatur" [commandTransformation="REGEX:s/(.*)/{temperature='$1'}/" ]
}
item
Number public_local_temp "Außentemperatur [%.1f °C]" {channel="http:url:public:local_temp"}
rule
public_local_temp.sendCommand(18)
All I personally can say is that the HTTP binding does support making calls on command. It’s pretty apparent how to set it up to do that when creating the Things in the UI. I don’t support text based configs any more since it’s a huge time sink with little benefit.
But pay attention to the Channel types. You’ve defined the Channel type as a String but linked it to a Number Item. The type of the Channel and Item must match.