HTTP/HTTPS GET with login and CMD -> Which security Setup

asdfasf_adfas · November 18, 2016, 9:37am

Hello.

I want to use Macrodroid for sending HTTP-Get requests to OpenHab (from outer the LAN to my DynDNS-Adress). For example to open the front door (and more - not so dangerous - commands).

THIS WORKS so far, but i have to disable SECURITY within the openhab.conf.

Macrodroid is not able to handel logins (all the information has to be in de URL).
“Automate” is able to handle logins, but i cant create the same reliable automation with that app as i can do it with Macrodroid.

Now i thought it would be cool to use also HTTPS, because i read that the parameters in the URL are encrypted then. And i thougt it could be possible to transport the login data as part of the encrypted URL.

Then i read something about .htaccess and reverse proxy. Is this file safe? I mean if anybody could read the file it will be for nothing again, wouldn’t it be?

But alltogether, i dont know what the best and safest option would be, and - at the same time - not too much complicated and secure, so Macrodroid could make his job.

I also dont know if normal HTTP isn’t allready secure enough (i mean i am allready within an LTE network or an WiFi…both are secure and encrypt their data…aren’t they?). Maybe my concerns are for nothing.

Maybe the whole thing is secure as long as nobody knows my dynDns adress (and knows that i use openhab), but i also host an Apache-Website and a SQL-Database on the same Raspberry, therefore some people know at least the address allready.

So whats your opinion and experience?
Would be very helpfull (maybe with Links to StepByStep-Tutorials, because i am not the best IT guy).

Thanks a lot.
Greets, Ed

rlkoshak · November 18, 2016, 6:09pm

openHAB 1 implements basic authentication which means you can use:

https://<user>:<password>@your.dyn.dns.com:<exposed port>/<REST API call>

where you replace the stuff in < > with your appropriate values. Please use HTTPS for this or else your username and password are sent in the clear. If Macrodroid doesn’t allow you to use self signed certs you can get a cert from letsencrypt.org or try to use something else like Tasker for the automation.

Or you can use my.openhab to access your machine without needing to mess with dyndns or punching a hole through your firewall (my recommended solution unless you really really know what you are doing). In Macrodroid the URL would be:

https://<my.openhab.org user>:<my.openhab.org password>my.openhab.org/<REST API call>

If you want to set up a reverse proxy, follow the instructions here:

This is written for OH 2 but will work with OH 1.x. The .htpasswd file must be protected on the file system and placed in a location that only the webserver can get to it. The instructions above do this.

The best and safest option would be to use my.openhab.

They already know. There are scanners that can scan the entire Internet in hours and search engines where someone can just search for “openhab” and get a list of all the IP addresses that are exposed to the Internet running openHAB. You are not hidden once you punch that hole through your firewall.

If you do punch a hole through your firewall, please at a minimum set up fail2ban to automatically ban IP addresses of those who fail to login.

I hope you are keeping up with patches and have other good security in place. At a minimum I hope you audit the logs to see if anyone is successfully getting in to your server. Personally, I would not put a publically accessible web site on the same machine as my home automation, particularly a home automation that can unlock the doors.

Just to give an anecdote. I have port 22 open on my firewall so I can ssh to my home machines when I need to. I have fail2ban set up to block IPs who fail to log in after one attempt (I use a cert for logging in so if they fail to log in they are not me). I ban around 20-100 IPs a day. When I had openHAB on an open port instead of using my.openhab fail2ban was blocking around 5-20 IPs a week.

If your server is on the Internet it is a target.

asdfasf_adfas · November 22, 2016, 1:40pm

Hi Rich and THX a lot.

I have now installed a Apache ReverseProxy based on following tutorial (i switched to openhab2):

But I only did the https-Konfig und therefore opened Port 443 to Raspberry.
I tried using myopenhab, but the connection is very (very) slow then.
With habdroid i use my dynDNS URL with the logindata from the tutorial above.
Sometimes i also use Chrome. Therfore i saved a favorite, which also transports the login infos within the URL (just to be faster).
I also installed fail2ban…but just made following changes to the config:
jail.local file → bantime 86400 (= 1 day)…nothing else so 3 retries a allowed.
I didnt open Port 22 on my router (but 80 for the website/phpmyadmin and 3306 for mysql is forwarded)
But this 2 Ports get closed again in summer 2017 after scool is over.
Its a good idea using seperate RPIs, but because after scool i dont use Ports 820 and 3306 anymore i want to wait and then 1 RPI should be enough.

I hope this config is a little bit better than before.

Oh i forgot…i also opened port 1194 for a vpn connection…but there are keys and certs and so on which onliy i have…i hope thats secure.

rlkoshak · November 22, 2016, 5:20pm

This sounds like a better approach. The only thing I’d add is to make sure to audit the logs of your servers and fail2ban. Setting up these protections and not monitoring them is little better than not setting them up at all.

As long as you protect your certs your VPN is reasonably secure.

asdfasf_adfas · November 23, 2016, 10:21am

Allright, thanks a lot Rich!
Maybe you know where i can find these logs exactly?

Now i have another “problem” with the basicui:
When i try to connect to it with the LoginData within the URL, i see the UI but actually i cant use it.
Switches are shown as triggered when i click them, but nothing happens.
When i try to open a "Text label=“blabla” { Switch bla…} - Subwindow, it does not open (so i always just see the root ui).
Evrything is ok when i use the classicui.
I also tried different browser. Basic UI works fine when the logindata isnt within the URL.

rlkoshak · November 23, 2016, 5:03pm

I use nginx for the reverse proxy so I don’t know where Apache puts its logs. OpenVPN puts its logs in /var/logs I think. I’m running it on my router so don’t know for sure.

It sounds like there is something incompatible between your reverse proxy and BasicUI. I can’t say what it would be or how to fix it.