Page 1 of 1
Strange entry in my logfile
Posted: Monday 05 February 2024 13:14
by costo
I have my Domoticz run on a raspberry pi 3B.
On my Fritz!Box router I have made my raspberry accessable from the internet. I sometimes see messages like this in the logfile:
2024-02-04 19:23:21.793 Error: Error parsing http request address: ::ffff:172.233.57.39
but not so much that I worry about these attempts.
I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.
But this morning I found a strange entry in my logfile:
2024-02-05 07:55:02.172 subtype = Interface Command
2024-02-05 07:55:02.172 Sequence nbr = 47
2024-02-05 07:55:02.172 Status: Incoming Domoticz connection from: 194.165.16.73
It looks like this IP got access to the Raspberry Pi or domoticz ?
I have no idea what the messages subtype and nbr mean.
Can someone enlighten me what could be going on here ?
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 10:21
by Daik
194.165.16.73 is a local network Ip adress. Are you sure that it does not come from one of your devices?
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 10:28
by lost
Daik wrote: ↑Thursday 08 February 2024 10:21
194.165.16.73 is a local network Ip adress. Are you sure that it does not come from one of your devices?
That's not correct, this IP is not in one of the private IPv4 range.
returns an IP allocated to
Code: Select all
role: FLYSERVERS GLOBAL NETWORK OPERATION CENTRE
address: 50th Street, Global Bank Tower, Suite 1801
address: Panama
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 10:35
by lost
costo wrote: ↑Monday 05 February 2024 13:14
I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.
Opening http to the outside/WAN, that's kind of playing russian roulette with 5 bullets in the barrel: That's all un-ciphered including password.
=> Open https, but you'll need a domain (no-ip provides free ones) if not already done for your http WAN use + certificate (let's encrypt, as self-signed like Domoticz default one are more & more refused by browsers no more allowing such exceptions). And meantime remove your redirection & change password! Also check carefully if you don't have suspect processes/behavior on the host running domoticz.
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 11:18
by waltervl
IP 172.233.57.39 could be an internal Docker IP. Is Domoticz running in a docker environment?
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 11:32
by HvdW
I don't think so.
- Local IP.jpg (30.15 KiB) Viewed 821 times
My personal solution is having the RPI solely local and connect from outside using Wireguard (
PiVPN)
Wireguard establishes a tunnel where no-one can snoop or interfere.
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 18:43
by costo
waltervl wrote: ↑Thursday 08 February 2024 11:18
IP 172.233.57.39 could be an internal Docker IP. Is Domoticz running in a docker environment?
Nope , Domoticz runs on a Raspi3B with only Domoticz installed
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 18:55
by costo
lost wrote: ↑Thursday 08 February 2024 10:35
costo wrote: ↑Monday 05 February 2024 13:14
I have changed the 8080 port externally to a different high number port, all in IPv4
Ofcourse access to the Pi and to domoticz is protected with a password.
Opening http to the outside/WAN, that's kind of playing russian roulette with 5 bullets in the barrel: That's all un-ciphered including password.
=> Open https, but you'll need a domain (no-ip provides free ones) if not already done for your http WAN use + certificate (let's encrypt, as self-signed like Domoticz default one are more & more refused by browsers no more allowing such exceptions). And meantime remove your redirection & change password! Also check carefully if you don't have suspect processes/behavior on the host running domoticz.
Nothing essential running on Domoticz or the RasPi. It runs like this for several years so I can monitor my system (and home) when I'm away.
I was just wondering what these things mean:
subtype = Interface Command
Sequence nbr = 4
It looks like these were launched from the unknown IP address.
Re: Strange entry in my logfile
Posted: Thursday 08 February 2024 18:56
by Kedi
costo wrote: ↑Monday 05 February 2024 13:14
2024-02-05 07:55:02.172 Status: Incoming Domoticz connection from: 194.165.16.73
You are just 1 step away from being compromized.
If the next line reads:
Code: Select all
Status: Login successful from x.x.x.x for user 'YYYY'
The that guy (or women) is in.
Re: Strange entry in my logfile
Posted: Monday 12 February 2024 11:16
by lost
costo wrote: ↑Thursday 08 February 2024 18:55
Nothing essential running on Domoticz or the RasPi. It runs like this for several years so I can monitor my system (and home) when I'm away.
Nothing essential, but you have the possibility to allow a secure remote access. The PI in in your lan so may be used to bounce/compromise other elements... Or just doing bad things that will appear coming from you at 1st sight & may bring police early one morning, behaving like wild boars in your home until they understand you're not the guilty one (IMO, for such problem, this'll take time & turn to a... very bad time for you & relatives).
If you want to better know what theses messages are for, as I don't see them on my secured setup, that's open source so a white box: Upload the source (preferably the version you use), do a recursive grep on some invariant part of the message/without what may be added by logger or any variable element and read the code around to know if this may be an issue or not (for now).