Risk Exposing Frontail over the internet?

Hi,

I’ve OpenHabian installed on my Raspberry Pi. As per the standard build, frontail is exposed on port 9001 and this is a useful utility to view the recent log entries over my local network.

I’d like to be able to view the logs remotely, over the internet. I’m not a network or Linux expert but I’m presuming I can forward port 9001 on my router to the Raspberry PI and this would be a way of doing this (as opposed to opening up the Pi with SSH).

However, interested in the risks in doing so? i.e.

  1. Is this a sensible way to expose the logs?
  2. Is it even a sensible thing to do?
  3. Can exposing 9001 / frontail lead to a security vulnerability / exposure?
  4. Should I be looking to secure with BasicAuth or a VPN solution?

(I do appreciate that no one is going to give me a cast-iron “Go ahead” here, but interested in the opinions of the community)

Thanks
Steve

1 Like

I would not enable portforwarding to port 9001. You don’t have control over what’s being logged now or in the future. So even if at the moment no usernames/passwords are being logged, this is no guarantee that this will not happen in the future (e.g. after installing a new binding for a newly bought device).
Also if you have some presence detection enabled, motion detectors active, or simply by scanning the logs for when the lights are on and off someone will quickly be able to figure out if someone is at home or not.

I would either setup OpenVPN or use SSH tunneling. On top of that use something like fail2ban to block any IPs that try to connect and enter a faulty password a couple of times in a row.

I agree with Marcel.

As a general rule, I strongly recommend against exposing any ports to the Internet unless you really know what you are doing and if you have to ask whether it is a good idea you probably don’t.

No for the reasons Marcel sited. You might have information that gets logged out that you wouldn’t want random strangers to see. I’m happy to see that frontail does support basic auth which is at least something, but I didn’t see anything about encryption (i.e. SSL/TLS HTTPS type stuff) so to authenticate you will have to pass your username and password in the clear.

So, I would say it is only sensible if you can do it securely which means having at least basic auth, auth using certs is better, and encrypted networking traffic with a cert from LetsEncrypt or some other trusted CA.

Personally, if you want to expose the logs in a sensible way I would look into something like setting up an ELK stack like Thom wrote up here.

The overall idea is reasonable. I too often will have my openHAB logs up over the course of a day to watch its behavior, particularly when debugging a problem. But there are safer ways to do it.

Absolutely. There are automated attack programs constantly scanning the whole internet for open ports.When they find one they will deploy automated attacks to try and compromise your system. Since 9001 is a port known to be used by frontail, they will know what sorts of attacks to deploy. In short, you made their job really easy for them.

This can be done and done relatively safely, but it takes a whole lot of work, a whole lot of resources, and a whole lot of knowledge. For example, you would need to:

  • set up a DMZ to run or at least tunnel this traffic from your OH to the Internet so if someone does successfully hack you through the exposed port, they can’t get at any information or systems you care about
  • which requires two firewalls configured to control the access between the DMZ and your internal network and one between the DMZ and the Internet
  • you need to lock down both your OH installation machine and the frontail machine to make it much more difficult for a successful hacker to accomplish anything if they are successful
  • you need network (e.g. Snort) and host based intrusion detection (e.g. Tripwire) so you know when you are being attacked
  • you need monitoring and alerting capabilities to tell you when you are being attacked so you can respond accordingly
  • I would recommend setting up SELinux or AppArmor set to enforcing so even if they are successful in hacking your system and becoming root, they are limited in what they can do

And this is just off the top of my head.

This is hard stuff and many large corporations do it poorly. I would not recommend it for an individual.

Yes, as Marcel suggests, OpenVPN and/or SSH tunneling are good alternatives. With SSH tunneling, make sure to set it up to only allow authentication using keys, not passwords. Fail2ban is also excellent and lets you block IP addresses that try to hack into your system (you will be astonished at the sheer volume of attacks you will detect).

Once that is set up, you can use multitail to access your OH machine through an ssh connection and tail the logs, color coded no less, without even requiring setting up the tunnel.

With OpenVPN you are basically joining your home network remotely so anything you can do at home you can do remotely. That is a good choice too. It all depends on whether you want to be precise (i.e. only get to certain things through an SSH tunnel) or want full access to everything.

One last thing I’ll mention is that you could theoretically configure the Karaf console with an SSH key and allow it to listen for connections outside of localhost and ssh tunnel to the console directly. But you will probably want to access more than just the console.

I can totally agree with everything that was said. Especially:

And of course this is not meant as an insult.

Besides all the hardcore solutions mentioned above I’d argue that protecting frontail behind a reverse proxy would be a sane way of gaining reasonable security. openHABian already offers such a solution for openHAB itself and it would be easy to duplicate the configuration for frontail. (See here)

HOWEVER once again: Configuring a webserver is not easy and it’s easy to create security holes if you are not confident in what you are doing. I’d strongly recommend to pay close attention to details and study some literature on the issue.

One more addition: I just found out that frontail supports Basic Auth builtin… https://www.npmjs.com/package/frontail

This option might still pose the risk of exposed vulnerabilities but it’s better than nothing and an option if the others are not possible for you. Activate basic authentication for frontail (inside the file frontail.service), then add a port forwarding that is not bound to the outside port 9001.

Good point that I forgot about that. Even though it is running on Node.js it didn’t even occur to me that it can be put behind a reverse proxy. That would be a good middle road approach. It still opens the network up to attack and would still need to be isolated from your home network, protected, and monitored. I think fail2ban also works with Apache and Nginx.

Wow. Thanks guys for all of that. Appreciate the time taken and the info. Will have a read through and hold off doing anything until I understand more…