Security Issue Domoticz Topic is solved

On various Hardware and OS systems: pi / windows / routers / nas, etc

Moderator: leecollings

Post Reply
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Security Issue Domoticz

Post by gschmidt »

Hi,

Because of a corrupt domoticz.db file (also my older backups caused an "Offline" error),
I had to install a fresh version of Domoticz.

Before I performed a fresh install, I first removed:
  • Domoticz with

    Code: Select all

    sudo rm -r domoticz/
  • /etc/init.d/domoticz.sh
  • /etc/domoticz
Then I executed:

Code: Select all

sudo curl -L https://install.domoticz.com | sudo bash
The installation went without any errors, but when I tried to login the first time, the default credentials: admin/domoticz were not valid.

Then I tried to reset the password, explained on this page: https://www.domoticz.com/wiki/Lost_Username_Password
This worked and I could enter Domoticz.
So i created a User with admin rights
Now the login in went fine

Then I changed to the Beta release and ran the latest update. This also went fine.
Then I tried to turn off the login for my local network in the settings page by entering: 192.168.1.*

Here starts my problem:
I can enter Domoticz without login from my local network....but also from "outside" my network I don't have to login anymore?
This is obviously not what I want of course because then anyone can enter domoticz from outside.
This always has worked on my previous installation, but with the fresh installation It suddenly does not work anymore.

What is the problem here?
User avatar
kiddigital
Posts: 435
Joined: Thursday 10 August 2017 6:52
Target OS: Raspberry Pi / ODroid
Domoticz version: Beta
Location: Netherlands
Contact:

Re: Security Issue Domoticz

Post by kiddigital »

Steps look all fine.

How do you access Domoticz from the outside? Through a Proxy server?

Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.
One RPi with Domoticz, RFX433e, aeon labs z-wave plus stick GEN5, ha-bridge 5.4.0 for Alexa, Philips Hue Bridge, Pimoroni Automation Hat
One RPi with Pi foundation standard touch screen to display Dashticz
HvdW
Posts: 504
Joined: Sunday 01 November 2015 22:45
Target OS: Raspberry Pi / ODroid
Domoticz version: 2023.2
Location: Twente
Contact:

Re: Security Issue Domoticz

Post by HvdW »

Plus, why live on the edge and work with beta instead of stable.
Is there a good reason to do so?
Bugs bug me.
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Security Issue Domoticz

Post by gschmidt »

kiddigital wrote: Monday 02 January 2023 21:53 Steps look all fine.

How do you access Domoticz from the outside? Through a Proxy server?

Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.
Yep, I run on a mini PC pfSense as main router/firewall software.
On this system I have installed a plugin of a proxyserver HAProxy and use the AMCE plugin to create valid cetificates
This is running for a few years now and my previous Domoticz installation (also the Beta) never had any problems with it.

When I did a fresh install of Domoticz last week, the Stable version of Domoticz is installed
But here the Login error (unknown login name and password) with the default admin/domoticz already happens...
I performed the fresh Domoticz Install several times (after deleting Domoticz the way I already mentioned above), but each time the login did not work untill I followed the no login/password steps.
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Security Issue Domoticz

Post by gschmidt »

HvdW wrote: Tuesday 03 January 2023 0:54 Plus, why live on the edge and work with beta instead of stable.
Is there a good reason to do so?
Well in the past I was using the Yamaha Receiver Plugin which only worked properly with the Beta version (according to the help file)
Now I control the Yamaha with Node-Red/Google Home, so there is no need anymore....but I just wanted to install Domoticz with the settings I used to have.
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Security Issue Domoticz

Post by gschmidt »

kiddigital wrote: Monday 02 January 2023 21:53 Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.
I see what the error is:

Code: Select all

2023-01-03 10:57:52.350  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.353  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.354  [76fdd040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying ::
2023-01-03 10:57:52.355  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.357  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.358  [76fdd040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying 0.0.0.0
2023-01-03 10:57:52.359  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.361  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.362  [76fdd040] Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied [system:13]
2023-01-03 10:57:52.362  [76fdd040] Error: WebServer(SSL) check privileges for opening ports below 1024
2023-01-03 10:57:52.363  [76fdd040] Starting shared server on: :::6144

In my previous Domoticz I started to secure and access from outside with DuckDNS and Letsencrypt on the Rasberry Pi
Which properly created the server_cert.pem (using the Domoticz help docz)
When I switched to HAproxy and ACME on my pfSense box, the server_cert.pem was already properly configured.

I guess I have to export the certificate from my pfsense box to a pem file and place this in the domoticz directory?
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Security Issue Domoticz

Post by gschmidt »

I have copied the PEM file from ACME to the domoticz directory and renamed it to server_cert.pem
And tested again with:

Code: Select all

./domoticz -www 8080 -sslwww 443 -log "/var/log/domoticz.log" -loglevel all -debuglevel normal,auth,hardware,received,webserver,eventsystem,python,thread_id
But I get the following error:

Code: Select all

2023-01-03 12:03:40.314  [76f16040] Status: WebServer(HTTP) started on address: :: with port 9090
2023-01-03 12:03:40.317  [76f16040] Debug: CWebServer::StartServer() : settings : ssl_server_settings['server_settings[is_secure_=true, www_root='/home/pi/domoticz/www', listening_address='::', listening_port='443', vhostname='', php_cgi_path='']', ssl_method='tls', certificate_chain_file_path='./server_cert.pem', ca_cert_file_path='./server_cert.pem', cert_file_path=./server_cert.pem', private_key_file_path='./server_cert.pem', private_key_pass_phrase='', ssl_options='single_dh_use', tmp_dh_file_path='./server_cert.pem', verify_peer=false, verify_fail_if_no_peer_cert=false, verify_file_path='']
2023-01-03 12:03:40.325  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.327  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.329  [76f16040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying ::
2023-01-03 12:03:40.330  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.332  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.333  [76f16040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying 0.0.0.0
2023-01-03 12:03:40.334  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.336  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.337  [76f16040] Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied [system:13]
2023-01-03 12:03:40.338  [76f16040] Error: WebServer(SSL) check privileges for opening ports below 1024
2023-01-03 12:03:40.340  [76f16040] Starting shared server on: :::6144
2023-01-03 12:03:40.340  [719fe200] Status: TCPServer: shared server started...
2023-01-03 12:03:40.341  [707fe200] Status: RxQueue: queue worker started...
2023-01-03 12:03:40.884  [72bc6200] Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 12:03:40.884  [72bc6200] Debug: [web:9090] Request Headers:
content-length: 0

2023-01-03 12:03:40.884  [72bc6200] Debug: Web ACLF: 192.168.1.1 - - [03/Jan/2023:12:03:40.883 +0100] "OPTIONS / HTTP/1" 200 0 - -
2023-01-03 12:03:41.887  [72bc6200] Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 12:03:41.887  [72bc6200] Debug: [web:9090] Request Headers:
content-length: 0
User avatar
waltervl
Posts: 5148
Joined: Monday 28 January 2019 18:48
Target OS: Linux
Domoticz version: 2024.7
Location: NL
Contact:

Re: Security Issue Domoticz

Post by waltervl »

Please do not ask me for the details but I see those error messages

Code: Select all

missing SSL DH parameters from file ./server_cert.pem
being solved by instructions in wiki https://www.domoticz.com/wiki/Native_se ... o_Domoticz
Domoticz running on Udoo X86 (on Ubuntu)
Devices/plugins: ZigbeeforDomoticz (with Xiaomi, Ikea, Tuya devices), Nefit Easy, Midea Airco, Omnik Solar, Goodwe Solar
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Security Issue Domoticz

Post by gschmidt »

There are more problems then only the SSL DH Parameters.
I just figured out this probably has to do with my HAproxy/ACME setup to secure domoticz.
I will close this post and start a new one which is more suitable for my problem
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest