Add native support for x509 Security

[lollo93]

Hi,

I just installed Domoticz and now I want to forward a port on my router to enable the web reachabiliy of my domoticz installation.

It would be wonderful if the x509 authentication, explained in your wiki was integrated natively in Domoticz server without the Ngnix requirements.
It would be also great to generate the certificates directly from the web page and let the user to download it.

Node.js has many modules that supports certificate authentication as can be "authorify" or "passportjs" so there is no need for esternal tool as ngnix or other proxy.

Thank you

[nayr]

um no, short answer: Its better to expose Nginx to the internet than Domoticz.. only a fool would forward ports to any IoT service, seriously.. alot of the protection you get from this x509 setup is due to the fact that access to the domoticz process requires passing through nginx first.. without a valid x509 cert your never connecting to Domoticz... so any potential security issues in Domoticz have been rendered moot.

long answer I outlined before: viewtopic.php?f=21&t=9799

and integrating a CA into Domoticz, let alone native x509 negates most of the security provided by this setup.. keep your keys safe (especially your CA), and not stored on machines accessible from the internet.. preferably stored on external media and physically locked up so its inaccessible from networks. Its trillions of times harder to crack a key than steal it. XCA is an excellent program and duplicating its functionality is a waste of time.. the fact that the wiki has you create your CA on different host than domoticz was done on purpose.

the only other alternative anywhere near as secure as my x509 Nginx setup is to use a VPN, the downside to using a VPN is that is it requires a few more clicks to connect anytime you need access, and still has to be configured with x509 to be immune to brute force attacks.. should Domo include a native VPN Server and UI to configure it? hint: no

real security takes effort and understanding, or else you just have theatre.. you cant visit a website on the internet without the traffic transiting hardware my employer makes, network security is my game.

[lollo93]

Hi,

I partially agree with you.
I know that is better exposing another server but many of us need a simple solution for working Domoticz from remote.
Personally I have a RaspberryPi running domoticz and I do not have any others computers or similar always on to run as a gateway, with my personal Domoticz installation so I decided to forward the web port to the WAN in order to access my istance from the web.

When you say

a lot of the protection you get from this x509 setup is due to the fact that access to the domoticz process requires passing through nginx first

I agree with you but also ngnix cannot be without bugs or security issues. Ngnix is run on a bigger number of devices this means many bugs are found and fixed every day but if someone doesn't remember to update his version he'll be exposed to a bug that has it's details are free on the internet.
(I'm talking about bugs but the same can be told about Vulnerabilities and Exposures) I don't want to update things constantly, there are updates everywhere and it is annoying to run them every week or every month.
Giving Domotics the security management you can update it directly from inside the webApp, all together, and maybe authomatically!

Nothing in the IT world is unbreakble, even an x509, brute force attacks now works only with simple passwords, but there are tools like fail2ban that are very easy to setup and they will save you from that kind of attacks. To bypass something like that tool you need to run a distributed brute force but in that case you can configure Domoticz to lock itself if receives too many attempts in a period of time.

And the solution with the VPNs as you said it is too difficoult for standard users and to be configured on other devices in case of needing.

When you develop something you need to think that there are some people who knows perfectly how to use the software, with all its potentiality, and some people who uses only the Web Interface without knowing anything about HTML, NodeJS, SSH, Commands, Protocols and other IT stuff.
Personally I'm degreed in IT so I know exaclty what are you talking about but the second kind of people I mentioned before simply downloads the software and they want to use a finished product, not something that needs time to be configured and other devices to be used.

Remember that one of the most useful thing about IoT is that they can be accessed from anywhere in the world to check your house status. So if it becomes to difficoult they loose their potentiality!

[nayr]

1. Nginx can be updated automatically without risk of breaking anything, its also been audited and is a thousand times less likely to be vulnerable.. Domoticz should not be updated automatically, ever.. even Gizmocuz will tell you this.. he just rejected this very feature request. If you want your Home Automation system broken every other week, go ahead and make it update automatically.. Who ports security fixes back to the stable branch? nobody thats who.

2. VPN Is just as easy to setup as Port Forwarding, believe it or not.. Most Consumer routers now days include a VPN Server and Ive talked many complete lamens through setting up the VPN in less time than it took them to setup a port forward.. Trust me if Corporate environments can get stupid Sales people and C level executives with golden iWatches to use VPN then you can get your wife to use it too.. So if your Tablets/Phones/Laptops and router already have VPN Clients/Servers included whats so hard about checking a box, and setting up your users? If domoticz had built in IPSec it would be a piece of cake as every smart phone Ive ever seen has a native IPSec client.

3. Ask people what there #1 concern about IoT devices is and its not ease of access, its hackers gaining access.. If you have to jump through a few hoops then so be it.. When I start showing my system off to friends/family/co-workers there has not been a single instance where someone did not point out concern of me being hacked with all this stuff wired up.

4. Domoticz is not designed to be setup and operated by novices afraid of using a command line every once and a while, if getting x509 working is too much trouble then you have no business putting domoticz on the internet with port forwards anyhow.. your find it easier to setup the VPN, see case #2 above.

If you want to plug a service into the internet see if it passes this simple test first: If it had a default login did it require you to change it before allowing you to do anything else? No, Domoticz by default has no logins or passwords setup? Well anything that cant be bothered to be secure by default was obviously never intended to be exposed directly to the internet and quite simply cant be trusted even after you take steps to configure it..

now when you apt-get install nginx was it secure by default? you can fucking bet your ass it was.

Sorry this wasent simple enough for you, but you obviously care a bit about security so rock on my friend.. I'd love to get everyone using x509, but not half if its half assed... When it comes to security there are alot temptation to make it theatrical.. making something feel more secure might be good for your personal psychology, but it does little to actually address the problem.

This is Network Security 101, protect your valued assets behind properly configured firewalls, proxies and VPN... even if Domoticz had x509 support natively built in like you request.. you are safer now behind Nginx than you would be otherwise.

[schoutene]

Thanks @nayr for your write-up on securing Domotizc exposing to the Internet. I prefer using built-in VPN server capabilities in a router, however my current router (Apple Airport extreme) looks good....but does not allow any techy features like VPN server.

So I'm now looking at the x509 authentication, as described in the wiki. Thanks for that, but I'm missing the CLI commands which I need for my Raspberry (which runs without X Server, so GUI will not work).

Thanks in advance for your tip.

[nayr]

Your going to want to distribute the x509 certs to your desktops/tablets/phones over a wired connection directly, your main PC is likely most suitable for this not your RPi, download XCA for whatever platform you desire, runs on Windows/OSX/Linux and break out that usb cable.

you can copy the keys to your Pi over a ssh connection, just right click and export to clipboard, click through the warning then paste it into your terminal app.

I woulda thought the Airport Extreme would have support for VPN with all the other features it seems like they have, shame.. but if you Google "raspberry pi openvpn server" you run into all sorts of videos and documents that will get you going.. its just an apt-get install away.

If you want to setup any IP Cameras then your going to need to setup a VPN server sooner or later, you think those Chinese cameras with half assed firmware are safe to expose to the internet? yeah right.. nice thing is once all your phones and devices are setup to VPN home suddenly there is no such thing as a hostile wifi, as long as you setup the VPN link your entirely encrypted even on a public network.

both have benefits, I use both VPN and x509.. depending if I want instant access or full access.. I also proxy many other web applications through nginx, I can manage my media files, audio and ebooks, torrent/usenet downloaders, voip server, rss feed reader, network monitors, ipcameras, irrigation system etc all along side domoticz and all securely accessible from same URL anywhere in the world on any device I authorize without as much as a password, same certs are used to get on my wifi securely in the same manner.. everything is ran on prem, not a thing is in the cloud except encrypted backups, cant get better IoT than that..

is Domoticz really the only web interface you would like to put behind an x509 proxy? well you just havent been trying hard enough you'll get there, once you have it setup its a piece of cake.. Domoticz supports being ran out of a subpath now so you can setup /domoticz /plex /opensprinkler /sonarr /transmission /nzbget /servermon /virturalbox /ipcam1 /ipcam2 /ipcam3 until your head spins..

[schoutene]

Thanks again for the write-up, totally agree on using both (VPN for all access, x509 for quick Domoticz only access). I"ve been having some challenges with port-forwarding through my Airport, hence using x509 at for now.

[schoutene]

Two comments on the x509 section of the wiki:
1. the restart command for nginx in this section should be executed with sudo, like described earlier in the wiki page
2. client authentication does not work for me after following the described config, nginx does redirect to the Error Page FQDN (so nginx does what needs to be done). I think it does not work because the nginx x509 config directs the ssl_client_certificate to /etc/ssl/ca/ca.crt which is not the ca that has knowledge of the generated HTTP Client certificate (its the default ca.crt file still). Do I need to copy the ca.crt which was also copied to the client devices earlier here on the server?

[nayr]

you need to copy the CA public cert to the server with the server's cert yes, clients will want the CA Cert too so your server is known and green.

the CA Key keep safe, it does not need to go anywhere but onto a flash drive + optical backup and locked in a safe (infact this is how I suggest you store the entire XCA keystore when not in use).. any cert signed with that key will be granted access to your kingdom.. if it gets compromised you have to wipe out all your certs and start over. If you store it offline you know its safe from malware and hackers.. the first thing they look for are keys and passwords.

alternatively, you can create all your client/server certs, sign them with the CA key and then destroy it.. it will not be possible to make a new key without re-keying everything.. could be good if your just doing a couple certs for: Dad/Mom/Kid and very unlikely to have the need for creating more later.. just make sure you do really long expiration dates and backup those client keys offline instead.

I prefer the strategy of one key per device, each user on a phone/tablet/laptop/pc gets a key for that device.. if a phone gets lost, stolen, or even broken and disposed of you can revoke the cert and your server will reject it should it ever encounter it again.. another reason XCA is really good is it can handle tracking all that for you, so a couple years from now you can quickly and confidently revoke the right cert.

thanks for the tips i'll correct them, but any of you guys can create a Wiki account and fix any mistakes you find too.

[schoutene]

Copied the ca.crt (exported as PEM textfile with headers) to the server to the location as indicated in ssl_client_certificate. Still does not work. Any tips for troubleshooting? Both access and errorlogs are not recording anything when the x509 settings are not hashed-out (# in front).

Updated the wiki myself with the sudo comment.

[nayr]

is it even starting up? usually if you dont give it all the certs/files it pukes with a valid error.