Risk Exposing Frontail over the internet?

I agree with Marcel.

As a general rule, I strongly recommend against exposing any ports to the Internet unless you really know what you are doing and if you have to ask whether it is a good idea you probably don’t.

No for the reasons Marcel sited. You might have information that gets logged out that you wouldn’t want random strangers to see. I’m happy to see that frontail does support basic auth which is at least something, but I didn’t see anything about encryption (i.e. SSL/TLS HTTPS type stuff) so to authenticate you will have to pass your username and password in the clear.

So, I would say it is only sensible if you can do it securely which means having at least basic auth, auth using certs is better, and encrypted networking traffic with a cert from LetsEncrypt or some other trusted CA.

Personally, if you want to expose the logs in a sensible way I would look into something like setting up an ELK stack like Thom wrote up here.

The overall idea is reasonable. I too often will have my openHAB logs up over the course of a day to watch its behavior, particularly when debugging a problem. But there are safer ways to do it.

Absolutely. There are automated attack programs constantly scanning the whole internet for open ports.When they find one they will deploy automated attacks to try and compromise your system. Since 9001 is a port known to be used by frontail, they will know what sorts of attacks to deploy. In short, you made their job really easy for them.

This can be done and done relatively safely, but it takes a whole lot of work, a whole lot of resources, and a whole lot of knowledge. For example, you would need to:

  • set up a DMZ to run or at least tunnel this traffic from your OH to the Internet so if someone does successfully hack you through the exposed port, they can’t get at any information or systems you care about
  • which requires two firewalls configured to control the access between the DMZ and your internal network and one between the DMZ and the Internet
  • you need to lock down both your OH installation machine and the frontail machine to make it much more difficult for a successful hacker to accomplish anything if they are successful
  • you need network (e.g. Snort) and host based intrusion detection (e.g. Tripwire) so you know when you are being attacked
  • you need monitoring and alerting capabilities to tell you when you are being attacked so you can respond accordingly
  • I would recommend setting up SELinux or AppArmor set to enforcing so even if they are successful in hacking your system and becoming root, they are limited in what they can do

And this is just off the top of my head.

This is hard stuff and many large corporations do it poorly. I would not recommend it for an individual.

Yes, as Marcel suggests, OpenVPN and/or SSH tunneling are good alternatives. With SSH tunneling, make sure to set it up to only allow authentication using keys, not passwords. Fail2ban is also excellent and lets you block IP addresses that try to hack into your system (you will be astonished at the sheer volume of attacks you will detect).

Once that is set up, you can use multitail to access your OH machine through an ssh connection and tail the logs, color coded no less, without even requiring setting up the tunnel.

With OpenVPN you are basically joining your home network remotely so anything you can do at home you can do remotely. That is a good choice too. It all depends on whether you want to be precise (i.e. only get to certain things through an SSH tunnel) or want full access to everything.

One last thing I’ll mention is that you could theoretically configure the Karaf console with an SSH key and allow it to listen for connections outside of localhost and ssh tunnel to the console directly. But you will probably want to access more than just the console.