Dutch Newspaper: poor security for public camera’s. Specific Domoticz-install also vulnerable!

[Dynamic]

I was watching a repo made by a Dutch website. In the end, they show a Domoticz-installation wich they can control without username/password.

Warning for all Domoticz-users: please check your security!

For the developers: maybe it’s good to make Domoticz by default only available with username/password with the need to change it after first login?

Repo: http://www.tubantia.nl/enschede/hele-we ... ~a7e583e6/

[snuiter]

I must say I don't understand why I am still surprised this happens. The webcam is not so interesting but the fact that you can control someones home so easily that is serious. Looking at my own experience and setup you start with one device and very quickly it expands and don't review if the security is good enough, although I do have an username and password.

Agree that users of the software need to be aware that a password is a minimal requirement to assure security. Anyone has some basic tests to assure setup is secure and protected apart from the basic user/pwd setup?

[Eddiever]

I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside. Or am I wrong?

[SweetPants]

I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside?

wrong, when configuring port forwarding, you open up a port from the outside. if not using HTTPS or certificates, everybody can access your domoticz system

[Eddiever]

And how can I disable the access from the outside world? LIke I said, no portforwarding in my router. So how can they access my domoticz server?

[pvm]

I did not do a port forwarding in my router, thus my domoticz is unavailable from the outside?

wrong, when configuring port forwarding, you open up a port from the outside. if not using HTTPS or certificates, everybody can access your domoticz system

Huh? How can someone from outside have access when no port forwarding is configured?

[Egregius]

They can't, don't worry.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.

[Eddiever]

Thanks again Egregius, now I can sleep

[mrf68]

Click bait title. They bring it as "news"? Specific install of whatever software can be vulnerable. Those cameras are listed on websites for years, using default login names and passwords. TU students are surprised?? Am I missing something?

[Eddiever]

No click bait title. Just a warning to "less" good users of Domoticz because it shows in the video that they did have access to a domoticz server in the place Almelo (which user of this forum is from Almelo and hasn't secured his/hers server?). Grateful to topic starter!

[manjh]

I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?

Edit: there is a logout button. But how can I force a logout when I close the browser?

Also, how can I switch on https?

[pvm]

I have a port forwarded in the router, and I use a userid/pw to protect the user interface.
When I change the PW, I see that I need to logon with that new pw.
But once logged on, I can close/restart the browser without the need to log on. And I don't see a way to logoff...
Am I missing something?

Edit: there is a logout button. But how can I force a logout when I close the browser?

Also, how can I switch on https?

I do not know about the logout,sorry
You can configure port forwarding for (only) your https port

[Dynamic]

This topic was not meant to be clickbate. I just wanted to warn other users for unsafe Domoticz-installations.

[jannl]

They can't, don't worry.
Without port forwarding you're 100% safe.
With port forwarding you must set a good user/password combo and only use https. On top of that use fail2ban to block failed login attempts immediately.

Basically, as long as you are connected to the internet, you are never 100% save.
But indeed, without port-forwarding you are a lot saver.

[poudenes]

thanks for the post. Checked my system. Removed the http forwarding and leave https.
Already had a good username and password. (Use 1password to generate 20 characters passwords)

Would be nice if Domoticz add 2-way authentic verification

[manjh]

Removed the http forwarding and leave https.

Where did you do this? I checked my router, the only choices I have is TCP or UDP!

[jannl]

http is TCP over port 80 (normally)

[poudenes]

Removed the http forwarding and leave https.

Where did you do this? I checked my router, the only choices I have is TCP or UDP!

I removed the forwarding in my TimeCapsule (Router)

[jannl]

And if you use https on Domoticz, use some obscure port for forwarding, like 23456 or so.

[R0yk3]

Why not use a vpn connection?