Domoticz

Hi,

I had a lot of false login requests on a Windows RDP server, and I mean A LOT!

So, I made something I'd like to share with all Domoticz users. How to use Domoticz to enable or disable access to that RDP server.

First I had to re-route the external address (port-forwarding in a Ziggo modem/firewall in my case) to the internal address from the RDP server to the Raspberry. So, the Raspberry will forward the RDP traffic (or not!) to the RDP server.

Remark: I run Domoticz on a Raspberry Pi 4 with the iptables firewall already installed and active. ??? google is your best friend!

A bin/bash script is needed to add or remove a few lines to the iptables (the rasbian firewall).

This is the script:
I saved the script to "/home/pi/scripts/setrdp.sh" and use chmod 755 on it.

In Domoticz:
Create hardware dummy
Add virtual sensor of type Switch

Open the switch properties and fill in the script "on" and "off" lines, like this:
script:///home/pi/scripts/setrdp.sh "ON"
script:///home/pi/scripts/setrdp.sh "OFF"

This is how it looks like:


At the end it looks simple but it took me a while to figure it out

Now, when I want to use the RDP I can enable it, and disable it when I am done!
Remark: I can disable it after the RDP connection is made. The firewall keeps my connection alive until I disconnect. So, very little up-time is needed.

If you have an FTP server or any other port you want to protect from the outside, you can do the same thing for that specific port.

Hopefully this is useful to others also.

Thanks for your script!

Another option is to install and use Wireguard and only have this port available for the outside world.
This is a very safe VPN and supported on kernel level.
You have a client for Windows/iOS/Android.
If you are using a Fritzbox for your ISP, you can enable Wireguard directly, else use a docker-compose setup, or natively on our raspberry pi.
Speed is also blazing fast!

No more need to open any other port for the outside world.... makes you feel a lot safer!

Exactly, every known port open to the internet gets a lot of hits.

Using a different port for rdp (like 32198 or so) will limit the amount of hits to almost zero.

But the suggestion gizmocuz makes is the better way to go escpeccially for protocols like ssh, rdp, vnc etc.

I do have WireGuard and it works very well indeed.
But I can not use that from every PC. At my work for example I am not allowed the install tools like that.

I also tried a high port number, but they find you anyways.

I use a telegram bot to talk to my Domoticz at home. Acces to my home from anywhere with internet. No need to use VPN, install wireguard etc. Only I do not have the Domoticz interface and graphs at hand.

I use this Python implementation https://github.com/waltervl/dynamicTelegramBot
But on the wiki there is also a Lua implementation.

Andreotti wrote: Monday 27 October 2025 14:16 I do have WireGuard and it works very well indeed.
But I can not use that from every PC. At my work for example I am not allowed the install tools like that.

I also tried a high port number, but they find you anyways.

I used to have (years ago before I used a vpn) an ssh port open on not sure wat port anymore. Because I logged everything I would have seen a hit. I never saw any hits on that port. Searching 65535 ports on a system you do not know is interesting will not be done a lot. Even shodan never reports such a port on my system.

But I agree not real secure.

Everyone, do as you please.
I am happy with my solution!