Suggestions for a more secure Domoticz installation
Posted: Thursday 17 January 2019 11:50
Hi,
Like many I have installed Domotics on a raspberry pi/raspbian and just followed the default installation procedure. With succes: everything is working. Now that I have a working environment I am worried about using Domoticz from "outside": it would be great to see if the kids are home, if all windows are indeed closed, that the lights are on / off etc. but I do not want others access to this data: very handy for burglars for instance.
I also plan to set up a alarm system.
This means that the installation needs to be tough enough to be connected to the open internet (with ssl/portforwarding etc.)
I have a few worries here:
1) Domoticz is by default running as user "pi" (or the user who installed the system) this user has way too much rights I think: is usually a member of the sudo group etc. Why not install Domoticz as a user domoticz with a group domoticz?
2) A computer directly connected to the Internet should be hardened more than a system on a private LAN. I am thinking about firewalling, Intrusion dection and that sort of thing.
3) I mistrust the raspberry's performance and especially the SD card which is (IMHO) a recipe for failure in the long run. I am considering bying a cheap micro pc (like this one: https://bit.ly/2swecFy) to run the system on.
4) If I would be truly paranoid I would install the OS on multiple partitions and make some read only (the grand majority) and a writable partition(s) for e.g. /var/log/* /home/*, the Domoticz database etc.
5) Why is installing Domotics in /home/pi (or for that matter /home/$user) recommended? I have installed domotics in /opt to keep things separated and to make sure I do not do something stupid when cleaning out my home dir...
6) directory/file rights/ownership: everyting in /opt/domoticz (my location) has owner/group pi:pi with rights 755 This is way too much I think. Almost everyting can be 444 or 644 I guess...
etc. etc. As you can see I have many questions/ideas and I am looking forward to your reactions!
Like many I have installed Domotics on a raspberry pi/raspbian and just followed the default installation procedure. With succes: everything is working. Now that I have a working environment I am worried about using Domoticz from "outside": it would be great to see if the kids are home, if all windows are indeed closed, that the lights are on / off etc. but I do not want others access to this data: very handy for burglars for instance.
I also plan to set up a alarm system.
This means that the installation needs to be tough enough to be connected to the open internet (with ssl/portforwarding etc.)
I have a few worries here:
1) Domoticz is by default running as user "pi" (or the user who installed the system) this user has way too much rights I think: is usually a member of the sudo group etc. Why not install Domoticz as a user domoticz with a group domoticz?
2) A computer directly connected to the Internet should be hardened more than a system on a private LAN. I am thinking about firewalling, Intrusion dection and that sort of thing.
3) I mistrust the raspberry's performance and especially the SD card which is (IMHO) a recipe for failure in the long run. I am considering bying a cheap micro pc (like this one: https://bit.ly/2swecFy) to run the system on.
4) If I would be truly paranoid I would install the OS on multiple partitions and make some read only (the grand majority) and a writable partition(s) for e.g. /var/log/* /home/*, the Domoticz database etc.
5) Why is installing Domotics in /home/pi (or for that matter /home/$user) recommended? I have installed domotics in /opt to keep things separated and to make sure I do not do something stupid when cleaning out my home dir...
6) directory/file rights/ownership: everyting in /opt/domoticz (my location) has owner/group pi:pi with rights 755 This is way too much I think. Almost everyting can be 444 or 644 I guess...
etc. etc. As you can see I have many questions/ideas and I am looking forward to your reactions!
