Strange entry in my logfile

[costo]

I have my Domoticz run on a raspberry pi 3B.
On my Fritz!Box router I have made my raspberry accessable from the internet. I sometimes see messages like this in the logfile:
2024-02-04 19:23:21.793 Error: Error parsing http request address: ::ffff:172.233.57.39
but not so much that I worry about these attempts.

I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.

But this morning I found a strange entry in my logfile:

2024-02-05 07:55:02.172 subtype = Interface Command
2024-02-05 07:55:02.172 Sequence nbr = 47
2024-02-05 07:55:02.172 Status: Incoming Domoticz connection from: 194.165.16.73

It looks like this IP got access to the Raspberry Pi or domoticz ?
I have no idea what the messages subtype and nbr mean.
Can someone enlighten me what could be going on here ?

[Daik]

194.165.16.73 is a local network Ip adress. Are you sure that it does not come from one of your devices?

[lost]

194.165.16.73 is a local network Ip adress. Are you sure that it does not come from one of your devices?

That's not correct, this IP is not in one of the private IPv4 range.

Code: Select all

whois 194.165.16.73

returns an IP allocated to

Code: Select all

role:           FLYSERVERS GLOBAL NETWORK OPERATION CENTRE
address:        50th Street, Global Bank Tower, Suite 1801
address:        Panama

[lost]

I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.

Opening http to the outside/WAN, that's kind of playing russian roulette with 5 bullets in the barrel: That's all un-ciphered including password.

=> Open https, but you'll need a domain (no-ip provides free ones) if not already done for your http WAN use + certificate (let's encrypt, as self-signed like Domoticz default one are more & more refused by browsers no more allowing such exceptions). And meantime remove your redirection & change password! Also check carefully if you don't have suspect processes/behavior on the host running domoticz.

[waltervl]

IP 172.233.57.39 could be an internal Docker IP. Is Domoticz running in a docker environment?

[HvdW]

I don't think so.

Local IP.jpg (30.15 KiB) Viewed 814 times

My personal solution is having the RPI solely local and connect from outside using Wireguard (PiVPN)
Wireguard establishes a tunnel where no-one can snoop or interfere.

[costo]

IP 172.233.57.39 could be an internal Docker IP. Is Domoticz running in a docker environment?

Nope , Domoticz runs on a Raspi3B with only Domoticz installed

[costo]

I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.

Opening http to the outside/WAN, that's kind of playing russian roulette with 5 bullets in the barrel: That's all un-ciphered including password.

=> Open https, but you'll need a domain (no-ip provides free ones) if not already done for your http WAN use + certificate (let's encrypt, as self-signed like Domoticz default one are more & more refused by browsers no more allowing such exceptions). And meantime remove your redirection & change password! Also check carefully if you don't have suspect processes/behavior on the host running domoticz.

Nothing essential running on Domoticz or the RasPi. It runs like this for several years so I can monitor my system (and home) when I'm away.

I was just wondering what these things mean:
subtype = Interface Command
Sequence nbr = 4
It looks like these were launched from the unknown IP address.

[Kedi]

2024-02-05 07:55:02.172 Status: Incoming Domoticz connection from: 194.165.16.73

You are just 1 step away from being compromized.
If the next line reads:

Code: Select all

Status: Login successful from x.x.x.x for user 'YYYY'

The that guy (or women) is in.

[lost]

Nothing essential running on Domoticz or the RasPi. It runs like this for several years so I can monitor my system (and home) when I'm away.

Nothing essential, but you have the possibility to allow a secure remote access. The PI in in your lan so may be used to bounce/compromise other elements... Or just doing bad things that will appear coming from you at 1st sight & may bring police early one morning, behaving like wild boars in your home until they understand you're not the guilty one (IMO, for such problem, this'll take time & turn to a... very bad time for you & relatives).

If you want to better know what theses messages are for, as I don't see them on my secured setup, that's open source so a white box: Upload the source (preferably the version you use), do a recursive grep on some invariant part of the message/without what may be added by logger or any variable element and read the code around to know if this may be an issue or not (for now).