Hi,
I’m using MOH for some time now, but as I learn trough network security I have some question, hope its information that is publicly available.
MyOpenHab sounds to me like reverse proxy, is that so ?
Since the authentication is based on user/pass, it might raise a security issue if that’s the case.
I’m trying to put together list of cons/pros between MOH approach and having CloudFlare to protect my deployment, with port forwarding on the router level
It depends on how technical you want to get with your definition of “reverse proxy.” In general layman’s terms yes, myopenhab.org is a reverse proxy. But it only reverse proxies the openHAB web server. Period. You can’t get to any other network services on your network through myopenhab.org.
With OH 3, even then all that someone can access are your Items unless they authenticate with your OH instance as an admin user.
The way it works is your openHAB instance initiates the connection to myopenhab.org, encrypted using standard TLS. The UID you entered when registering for myopenhab.org is used to associate that connection with your login. The secret is used to authenticate that your openHAB instance, kind of like the private key in a PKI.
So:
From an attack surface perspective, using myopenhab.org is going to be way safer than opening ports on your router for almost all users. Pretty much the only vulnerable point is that username and password.
Another safer approach includes setting up a VPN (I like Tailscale since it doesn’t require opening a port on your firewall and it’s dead simply to set up).
You could host your own instance of myopenhab.org on a VPS out on the cloud somewhere and set up additional forms of authentication (if that’s what you are worried about) but you will lose Alexa, Google Assistant, and push notifications I think. But if you do that you need to make sure that you monitor and mitigate attacks. No one, not even Cloudflare, is going to do that for you.
Opening your LAN up to the Internet would be the least safe approach and I strongly recommend against it, even with what protections CloudFlare may provide (which is mostly DDoS protection unless you’re going to pay for the pro or business level). When the service is attacked you don’t want that to be anywhere near your LAN. Therefore, even if the attack is successful, they can’t get to your network.
Hey.
While searching for documentation how myopenhab works under the hood security wise I could only find posts about “more documentation will be available soon” and this post here. Really appreciated this post!
Is there meanwhile an official documentation for it?
I mean saying that “only the REST API” of the local Openhab instance would be exposed on a potential security breach on myopenhab is not really making me relax :). Everything in my house could be controlled then. So are you saying if myopenhab is compromised, every established connection from local instances to myopenhab are then remote controllable by the attacker? So let’s turn off lights in all homes over the world to safe the environment :)?
I’m totally aware that this is also possible with having exposed stuff to Alexa If AWS gets hacked, but somehow I have hopes that those million well paid engineers there reduce that risk a bit more compared to the couple (?) of engineers maintaining myopenhab :).
No offense and thanks to all the contributors making OH the best choice for controlling your SmartHome but they only have their freetime working on such topics and not fulltime I would expect.
All the code and how it’s built stuff can be found at GitHub - openhab/openhab-cloud: Cloud companion for openHAB instances.
In a worst case scenario, possibly yes. But a lot would have to go right for an attacker and a lot would have to go wrong for the openHAB cloud server. The most likely form of a successful attack would be someone cracking a specific user’s password and then accessing that user’s openHAB instance.
But even so, the risk to you in using myopenhab.org is way less than the risk of you running your own private instance of the openHAB cloud server or, even worse if you expose your LAN directly to the Internet through your firewall.
If using myoupenhab.org raises concerns for you, don’t use it. It’s not required and you have to take deliberate actions to install and configure your system to use it. There are other ways to remotely access your openHAB like VPNs which you might consider safer. Or if you are really concerned, don’t allow remote access at all.
Also note that openHAB itself has a separate authentication and authorization. You can configure your instance to still require an additional username/password to access any part of your REST API (in MainUI under Settings → API Security. If you have the implicit user role turned off, even if your myopenhab.org account is compromised, or your the entirety of the myopenhab.org server is compromised, for an attacker to do anything on your instance they’d need yet a another username and password (definitely make them different from your myopehab.org login) before they can do anything.
Everyone needs to make their own risk assessments and appetite for risk compared to convenience.
One final note worth mentioning is that the vast majority of what makes up the openHAB Cloud Server comes from major open source projects with hundreds of contributors used across multiple industries. I know for a fact that Amazon uses Redis, MongoDB, Ngnx, and Node.js in many of their services too. No one builds these kinds of services from scratch. We are able to leverage the security and safety of tens of thousands of man hours that have gone into those products.
Hey Rich,
thank you for the very detailed and insightful answer, as always :)!
I will take a closer look at the docs at Github then.
Regarding the VPN that would be my favorite, but then Alexa integration would not work as far as I got it (?). Also when I add extra credentials for the REST API of my local install, I guess myopenhab would not be able to access it either, correct?
I fully agree that many companies are using battle proven open source projects to create their products, but it’s usually not about simply using them but using and combine them in the right way :). So just because a product is using well known open source projects does not automatically make it safe out of the box. But I agree that it’s better than implementing your own homebrewed solution. Especially when it comes to security related aspects which is usually hard to get right by your own.
As I’m also a professional (Java) delevoper for about 20 years now, I was just curious how this all works under the hood to get an impression how big the risk might be that someone could hijack my instance using myopenhab. Thanks again for the insights and for all your hard work and support you put into OpenHab!
Alexa requires some openHAB Cloud Server to integrate with. It doesn’t have to be myopenhab.org.
I believe that’s correct. At heart that’s my understanding.
AFAIK the openHAB Cloud Connector communicates over localhost/127.0.0.1 and therefore also works when your openHAB is behind a reverse proxy like NGINX (which I use to control the local access to my openHAB server). For an example of NGINX for basic auth, see Securing Communication and Access | openHAB.
Hi,
is MOH a completely self developed solution or is there something commonly available being used?
Im asking because the concept of that “passive” reverse proxy is very appealing also for other kinds of services that should be exposed to the internet without opening the firewall/router.
But Im not able to find anything but that could be because im using the wrong terms.
specifically I want to setup a local photo gallery that is accessible from the outside too and now that MOH is running very smoothly I would rather keep all ports closed of my network.
The two key technologies that are being used are
In case of myopenhab the reverse proxy is located on a server in the internet. This server requires a port to be opened to be accessed from the internet.
Your OH instance located at home communicates via websockets with the myopenhab cloud part in the internet. The connection is established from your home to the cloud but the communication is both directions afterwards.
I just want to add one caution. Pay special attention what @Wolfgang_S says here:
Put another way, your openHAB instance initiates a connection to the myopenhab.org server. Because it’s initiating the connection, opening a port in your firewall is not required. However, that also means that openHAB needs to know how to initiate that connection and communicate with myopenhab.org which means it has code specifically designed to do that.
If you want to do something similar with your photo gallery, the software you use for this photo gallery is going to have to have code that knows how to initiate and establish a connection to some proxy server hosted somewhere not on your LAN. Generic reverse proxy software isn’t going to support that and unless your photo gallery software also provides a cloud server, it’s not going to support that either.
Your best bet will be to set up a VPN that doesn’t require NAT (e.g. Tailscale) . Short of that, you’d need to set up a reverse proxy on your LAN and open the one port to the Internet. Then your reverse proxy protects and provides access to your photo gallery. That comes with a lot of work long term to update, upgrade, and monitor for attacks so I don’t recommend it.
wouldnt it be possible to adjust your code in a way that it acts as a 2-part reverse-proxy, that does all the tunneling internally (setting up the connection from the home-network agent and so on) and other than that just act as a standard reverse-proxy?
I actually see a lot of potential in a solution like this and Im wondering why no one else ever came up with an idea like this.
I don’t see why someone couldn’t implement something like that. Maybe they already have. But I’m not sure I’d want to run something like that. It would, by necessity, need to be really generic which could open a really wide attack surface nearly as wide as opening a port on your firewall. I’ve not studied it deeply but it feels like an approach nearly as risky as putting a well configured/protected service on the internet directly.
You still gotta put the server side out there on the internet somewhere. Not a lot of people have or are willing to pay for a VPS to host the server side of it so there’s not a lot of demand for something like that, particularly when solutions like VPNs, Cloudflare tunneling, et al are so readily available and easy to implement.
My VPS is $50 a year (USD) although you have to know how to set up a bare bones server