External endpoint security for exposed Domoticz
Posted: Monday 18 February 2019 19:52
I'm looking into making the exposure of my Domoticz instance to the outside world (for an Alexa skill) via HTTPS even more secure that it currently is. I'd like the opinion of experts on the following.
Let's assume that using a no-ip DNS-name I can access my box directly via e.g. https://itsme.myddns.me:1443 where I have my own Letsencrypt cert setup and I have basic auth setup so a username and password are needed. This just works, obviously. But if somebody finds my DNS name via brute force and also discovers my external port via a port scan, they get a Domoticz login prompt and may now know how to proceed further in hacking me.
However, let's say I setup an apache2 server on my machine and have it proxy from an endpoint with a big random endpoint/pathname before pointing towards Domoticz:
proxypass c29785d-b239-44a9-a8fb-1033a64d1e36/domoticz/json.htm http://localhost:8080/json.htm
with basic auth active too, plus with a big random password like 8efb46ef-998e-495a-9a23-6849b704a93b that's not easily guessed.
Now, in order to access my Domoticz instance remotely, I can use the following (much harder to stumble upon)
https://itsme.myddns.me:1443/c29785d-b2 ... es&rid=101
where I'd also have to get by the basic auth setup for apache before being directed via HTTP within my local network to Domoticz.
What are the pitfalls of doing this? Can that big random endpoint name be revealed or is brute force the only way in?
Let's assume that using a no-ip DNS-name I can access my box directly via e.g. https://itsme.myddns.me:1443 where I have my own Letsencrypt cert setup and I have basic auth setup so a username and password are needed. This just works, obviously. But if somebody finds my DNS name via brute force and also discovers my external port via a port scan, they get a Domoticz login prompt and may now know how to proceed further in hacking me.
However, let's say I setup an apache2 server on my machine and have it proxy from an endpoint with a big random endpoint/pathname before pointing towards Domoticz:
proxypass c29785d-b239-44a9-a8fb-1033a64d1e36/domoticz/json.htm http://localhost:8080/json.htm
with basic auth active too, plus with a big random password like 8efb46ef-998e-495a-9a23-6849b704a93b that's not easily guessed.
Now, in order to access my Domoticz instance remotely, I can use the following (much harder to stumble upon)
https://itsme.myddns.me:1443/c29785d-b2 ... es&rid=101
where I'd also have to get by the basic auth setup for apache before being directed via HTTP within my local network to Domoticz.
What are the pitfalls of doing this? Can that big random endpoint name be revealed or is brute force the only way in?