how to get rit of intruders

[BartSr]

Hi.

My Domoticz is running on Raspberry Pi 3.
I have for internet access login name and password.
Now in the logfile I regular find :

Incoming connection from: 139.162.79.87 [ but also from other IP's].

How can I 'keep the system closed'? Is this dangerous?

KR
-Bart

[woody4165]

Do not open domoticz port to internet and install a VPN to access to it.
Or check the domoticz wiki, there should be some articles regarding security.

[jvdz]

I am using Nginx as reverse proxy with a SSL connection and use Fail2Ban to monitor the Nginx logs and ban any connection after 2 failed tries. This way you run pretty secure.
You could also use the buildin SSL option, but never use the clear-text connection over port 8080 over the internet.

Jos

[Egregius]

Fail2ban is the best option, I use it on my web server and on Domoticz.
And as Jos said, use ssl.

[lost]

Incoming connection from: 139.162.79.87 [ but also from other IP's].

This kind of message is just a connection attempt, no login or even trying to do so.
You can't stop, for instance, web site indexing robots from trying to figure-out is there is something to index!

To avoid bruteforcers, fail2ban is a good option combined with a firewall to auto-buld temp rules to ban them.

[Damoms]

Are you sure that domoticz isn't already running?

royal1688

[tontze]

Fail2ban is the best option, I use it on my web server and on Domoticz.
And as Jos said, use ssl.

Can you post your fail2ban config on domoticz part ? What you have in filter file etc ?

[jvdz]

This is the fail2ban (jail.local) config I use in combination with an nginx proxy setup:
You have to update in the red marked items to your purpose:

Spoiler: show

# Check HTTPS Authentication for invalid username/Password
# 2 failures in 10 minutes hours -> ban 10 minutes
[nginx-auth-10min]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https,??port used by domoticz on the public side??"]
telegram10min
logpath = /var/log/nginx/domoticz.error.log
maxretry = 2
bantime = 600
findtime = 600

# Check HTTPS Authentication for invalid username/Password
# 5 failures in 24 hours -> ban 7 days
[nginx-auth-week]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https,??port used by domoticz on the public side??"]
telegram1week
logpath = /var/log/nginx/domoticz.error.log
maxretry = 7
bantime = 604800
findtime = 86400

# Check tries HTTP over HTTPS ports and simply block after 2 tries
# 2 failures in 10 minutes hours -> ban 10 minutes
[nginx-login-10min]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https,??port used by domoticz on the public side??"]
telegram10min
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 600
findtime = 600

# Check tries HTTP over HTTPS ports and simply block after 2 tries
# 5 failures in 24 hours -> ban 7 days
[nginx-login2-week]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https,??port used by domoticz on the public side??"]
telegram1week
logpath = /var/log/nginx/access.log
maxretry = 7
bantime = 604800
findtime = 86400

I have also setup the telegram1week.conf and telegram10min.conf in the actions.d directory to inform me about this ban via telegram.
The iptables-multiport.conf should come standard with fail2ban

The filters I use located in filters.d are:
nginx-auth.conf:

Spoiler: show

# fail2ban filter configuration for nginx

[Definition]

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+"$

ignoreregex =

nginx-login.conf:

Spoiler: show

[Definition]
failregex = ^<HOST> -.*$
ignoreregex =

As you can see I have set the rules very strickt so 2 errors will ban an IP for 10 minutes and another 5 (7 in total) will get the IP banned for a week.

Jos