nginx with port 80 disabled and this SSL config and certs from your own private CA.. careful to setup your server certs for nginx, use the subjectAltName and put local hostnames and remote hostnames (if there different) all in the same certificate so nobody throws a hostname mismatch error. example: sprinklers sprinklers.local myhome.dynip.org
ssl_verify_client required;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!DSS:!RC4;
ssl_prefer_server_ciphers on;
You use apple’s enterprise iPhone configuration utility to distribute client certificates to apple devices.. you really only need just one but you can create em for each device and revoke any later that get stolen instead of re-keying everything.
Then apt-get install firehol firewall and edit firehol.conf to this:
interface eth0 internet
server ssh accept
server https accept
client all accepttest it out by running: firehole enable and if all works out edit /etc/default/firehol to enable the firewall permanently (make sure u can ssh in at least, a remote portscan is the best to verify only SSH/HTTPS are open). I’d also suggest at this point putting /var/log in a tmpfs filesystem because the firewall may generate a bit of logs; a Pi/Bone really should be using a remote logging server for permanent logs to get the writes down.
Then you’ll configure nginx to proxy to localhost:8080 except for /mobile path which you’ll run php-fpm for the mobile app out of your user folder.. lookup how to do this im not doing it all for you heh.
Also change your SSHD configuration to only allow SSH keys or at least install fail2ban
When all is said and done your OSPi/OSBo will be about as secure as you can get it from network intrusion; the weakest point will be how secure you keep your CA and the devices them selves with the client certificates.
With this setup any device with a client certificate installed will be able to connect to the sprinklers; everyone else will be rejected.. for most devices once you connect the first time and select the cert you will never be prompted or bothered again. This really cant be brute forced and unless some very critical vurnability pops up in TLS or SSH there’s no other way in; also no fighting with your wife about using your pets name for her password.
This setup would be entirely safe to expose to the internet through a portforward, putting it in a DMZ, or even giving it a static routable IP, you could obscure the HTTPS port externally by running it on a random high port > 20k outside of your router if doing a portforward, but obfuscation is mostly theatre imho, run it on 443 if you dont want to be stuck across country; hear of a deep freeze back home on facebook and not being able to remember the damn port # to shutdown sprinklers.
*edit*
For additional hardening put /var/apt/cache in a tmpfs and configure automatic updates for your operating system, that’ll keep security updates applied and not wear out your storage: https://wiki.debian.org/UnattendedUpgrades
Also if your going through all this trouble to create and distribute client certs you might as well run radius somewhere (perhaps on your Opensprinkler even) and reconfigure your WiFi in the only secure method left; with Enterprise WPA & EAP-TLS.