Page 1 of 1

Security Issue Domoticz

Posted: Monday 02 January 2023 20:05
by gschmidt
Hi,

Because of a corrupt domoticz.db file (also my older backups caused an "Offline" error),
I had to install a fresh version of Domoticz.

Before I performed a fresh install, I first removed:
  • Domoticz with

    Code: Select all

    sudo rm -r domoticz/
  • /etc/init.d/domoticz.sh
  • /etc/domoticz
Then I executed:

Code: Select all

sudo curl -L https://install.domoticz.com | sudo bash
The installation went without any errors, but when I tried to login the first time, the default credentials: admin/domoticz were not valid.

Then I tried to reset the password, explained on this page: https://www.domoticz.com/wiki/Lost_Username_Password
This worked and I could enter Domoticz.
So i created a User with admin rights
Now the login in went fine

Then I changed to the Beta release and ran the latest update. This also went fine.
Then I tried to turn off the login for my local network in the settings page by entering: 192.168.1.*

Here starts my problem:
I can enter Domoticz without login from my local network....but also from "outside" my network I don't have to login anymore?
This is obviously not what I want of course because then anyone can enter domoticz from outside.
This always has worked on my previous installation, but with the fresh installation It suddenly does not work anymore.

What is the problem here?

Re: Security Issue Domoticz

Posted: Monday 02 January 2023 21:53
by kiddigital
Steps look all fine.

How do you access Domoticz from the outside? Through a Proxy server?

Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 0:54
by HvdW
Plus, why live on the edge and work with beta instead of stable.
Is there a good reason to do so?

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 10:32
by gschmidt
kiddigital wrote: Monday 02 January 2023 21:53 Steps look all fine.

How do you access Domoticz from the outside? Through a Proxy server?

Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.
Yep, I run on a mini PC pfSense as main router/firewall software.
On this system I have installed a plugin of a proxyserver HAProxy and use the AMCE plugin to create valid cetificates
This is running for a few years now and my previous Domoticz installation (also the Beta) never had any problems with it.

When I did a fresh install of Domoticz last week, the Stable version of Domoticz is installed
But here the Login error (unknown login name and password) with the default admin/domoticz already happens...
I performed the fresh Domoticz Install several times (after deleting Domoticz the way I already mentioned above), but each time the login did not work untill I followed the no login/password steps.

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 10:37
by gschmidt
HvdW wrote: Tuesday 03 January 2023 0:54 Plus, why live on the edge and work with beta instead of stable.
Is there a good reason to do so?
Well in the past I was using the Yamaha Receiver Plugin which only worked properly with the Beta version (according to the help file)
Now I control the Yamaha with Node-Red/Google Home, so there is no need anymore....but I just wanted to install Domoticz with the settings I used to have.

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 11:06
by gschmidt
kiddigital wrote: Monday 02 January 2023 21:53 Try to run Domoticz with debugging flags enabled (especially ‘auth,webserver,received’) and look what the debug logs tell you when performing requests from the outside.
I see what the error is:

Code: Select all

2023-01-03 10:57:52.350  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.353  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.354  [76fdd040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying ::
2023-01-03 10:57:52.355  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.357  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.358  [76fdd040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying 0.0.0.0
2023-01-03 10:57:52.359  [76fdd040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 10:57:52.361  [76fdd040] Debug: [web:443] 'BEGIN DH PARAMETERS' found in file ./server_cert.pem
2023-01-03 10:57:52.362  [76fdd040] Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied [system:13]
2023-01-03 10:57:52.362  [76fdd040] Error: WebServer(SSL) check privileges for opening ports below 1024
2023-01-03 10:57:52.363  [76fdd040] Starting shared server on: :::6144

In my previous Domoticz I started to secure and access from outside with DuckDNS and Letsencrypt on the Rasberry Pi
Which properly created the server_cert.pem (using the Domoticz help docz)
When I switched to HAproxy and ACME on my pfSense box, the server_cert.pem was already properly configured.

I guess I have to export the certificate from my pfsense box to a pem file and place this in the domoticz directory?

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 12:10
by gschmidt
I have copied the PEM file from ACME to the domoticz directory and renamed it to server_cert.pem
And tested again with:

Code: Select all

./domoticz -www 8080 -sslwww 443 -log "/var/log/domoticz.log" -loglevel all -debuglevel normal,auth,hardware,received,webserver,eventsystem,python,thread_id
But I get the following error:

Code: Select all

2023-01-03 12:03:40.314  [76f16040] Status: WebServer(HTTP) started on address: :: with port 9090
2023-01-03 12:03:40.317  [76f16040] Debug: CWebServer::StartServer() : settings : ssl_server_settings['server_settings[is_secure_=true, www_root='/home/pi/domoticz/www', listening_address='::', listening_port='443', vhostname='', php_cgi_path='']', ssl_method='tls', certificate_chain_file_path='./server_cert.pem', ca_cert_file_path='./server_cert.pem', cert_file_path=./server_cert.pem', private_key_file_path='./server_cert.pem', private_key_pass_phrase='', ssl_options='single_dh_use', tmp_dh_file_path='./server_cert.pem', verify_peer=false, verify_fail_if_no_peer_cert=false, verify_file_path='']
2023-01-03 12:03:40.325  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.327  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.329  [76f16040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying ::
2023-01-03 12:03:40.330  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.332  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.333  [76f16040] Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying 0.0.0.0
2023-01-03 12:03:40.334  [76f16040] Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 12:03:40.336  [76f16040] Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 12:03:40.337  [76f16040] Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied [system:13]
2023-01-03 12:03:40.338  [76f16040] Error: WebServer(SSL) check privileges for opening ports below 1024
2023-01-03 12:03:40.340  [76f16040] Starting shared server on: :::6144
2023-01-03 12:03:40.340  [719fe200] Status: TCPServer: shared server started...
2023-01-03 12:03:40.341  [707fe200] Status: RxQueue: queue worker started...
2023-01-03 12:03:40.884  [72bc6200] Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 12:03:40.884  [72bc6200] Debug: [web:9090] Request Headers:
content-length: 0

2023-01-03 12:03:40.884  [72bc6200] Debug: Web ACLF: 192.168.1.1 - - [03/Jan/2023:12:03:40.883 +0100] "OPTIONS / HTTP/1" 200 0 - -
2023-01-03 12:03:41.887  [72bc6200] Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 12:03:41.887  [72bc6200] Debug: [web:9090] Request Headers:
content-length: 0

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 13:45
by waltervl
Please do not ask me for the details but I see those error messages

Code: Select all

missing SSL DH parameters from file ./server_cert.pem
being solved by instructions in wiki https://www.domoticz.com/wiki/Native_se ... o_Domoticz

Re: Security Issue Domoticz

Posted: Tuesday 03 January 2023 14:57
by gschmidt
There are more problems then only the SSL DH Parameters.
I just figured out this probably has to do with my HAproxy/ACME setup to secure domoticz.
I will close this post and start a new one which is more suitable for my problem