Secure internet access to OSPi

[alanwbaker]

First, a big thank you to the folks who have made OSPi available to everyone–the hardware and software are impressive and I’m very pleased with my installation. It was fun except for digging the trench for the sprinkler wire. 😉 We Californians are in a drought and will probably see watering restrictions soon. OSPi makes it easier to do this, but I travel and I want to control my OSPi from the internet.

In preparation for controlling my OSPi while traveling I have done the following…

• Enabled the hardware watchdog to reboot if something goes horribly wrong[/*:1of0k5cy]
• Replaced default passwords with strong passwords[/*:1of0k5cy]
• Automation and bulletproofing[/*:1of0k5cy]
• Opened ports for just web and SSH in the firewall and router[/*:1of0k5cy]

Internet security issues are (fairly well) managed in the traditional client/server environment, but in the Internet of Things we need to consider the same issues. For example…

• Web password is sent in the clear. Can https be used instead (e.g. nginx proxy)?[/*:1of0k5cy]
• No password is required to view configuration. Could front-end password authentication be added?[/*:1of0k5cy]
• If my web password is hacked (inconceivable 😉 ), what in the pi environment is actually exposed?[/*:1of0k5cy]
• Does OSPi’s web server have software vulnerabilities that could be expoloited?[/*:1of0k5cy]

Clearly I have more questions than answers at this point, so please share your ideas and maybe we can find solutions together.

Alan

[Michael]

What I do is simply enable and configure the easy to use built-in VPN server on my router (Asus RT-N66U). With an encrypted connection between the router and client you are safe and don’t have to worry about encrypting all your home automation (assuming you use security on your home wifi) most all smart phones and computers have a built in PPTP client. Just remember to use encryption.

Otherwise If you use Samir’s mobile web app configured on your RPI using https you should also be better off than going directly to the interval program with http. This way the only http unencrypted traffic will be confined within the localhost. But this is more to configure.

Even if you just use the VPN option above, the mobile app will also make life much nicer because it is formatted well for the mobile environment.

[nayr]

x2 for VPN, it also makes open wireless networks much more secure and you can bypass hotspot content filtering…

[alanwbaker]

It all comes down to whom you trust. And the truly paranoid (like me 😉 ) wonder whether the proprietary VPN software is secure. Vendors always say, “Trust me”, but (for example) the Asus RT-N66U is a poster child for unearned trust. See http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/.

I trust OpenSSH so for now I do the following:

• Forward one port from the router to the pi for SSH
• Use SSVNC on the client and TightVNC on the pi to access the pi’s desktop through the SSH tunnel
• Run the interval program via Chromium web browser on the pi’s desktop

It took a little setup but it works smoothly. Maybe someday the ospi code will be secured.

[Samer]

This is what I used before I bought dedicated gear to handle my VPN access and allowed me to use the iOS native VPN feature. Basically, you setup a VPN server on your Pi and open the port for the VPN. Then you enter the VPN credentials on the client and you are good to go!

Below is a step by step guide for Ubuntu and tested on Debian. Pi is based off Debian so this should work fairly well although I haven’t tested on the specific Raspberry Pi distribution.

Guide: http://ubuntuforums.org/showthread.php?t=1645473

[nayr]

if you want to be truly paranoid, I use another beagle with a static IP and Nginx web server to reverse proxy OpenSprinkler externally over SSL and then use the same TLS Client certificates I use for Wired/WiFi authentication (EAP-TLS) to authenticate with the web server and allow my home automation interface to load; which includes OpenSprinkler.. now all my devices silently authenticate regardless if there home or away without any extra setup.. no password prompts and no brute forcing; you got to steal my client cert to have a shot.

Might add the above solution is Wife approved since she dont even know whats going on, but she did ask me.. “Our cameras have passwords on them right!?” when she she noticed they loaded without a prompt.

OpenSprinkler (Bone) has a local firewall running that only responds to my Automation Server; without knocking my automation server out and replacing it with a fake, which will throw errors everywhere, there is no way around the cert auth locally.. This is about as secure as you could hope to get OpenSprinkler.. I guess I could run SSL on the open sprinkler and do Client TLS auth on the proxy side too but I am not too worried about physical attack.. if your in my garage I got bigger problems than hacking my sprinklers.. my automation server is in the most secure location in the house and always locked in a cabinet in a locked server room, all switch ports require TLS auth or put you on free wifi network… you wanna start getting paranoid here or what?

but setting up a VPN is much easier; and if you cant trust an open source VPN implementation you might as well unplug your internet and toss your wireless access points in the trash.

[Dan in CA]

For the truly paranoid here are some links that may be of interest:

1. A step-by-step tutorial on making your Pi secure.
http://mattwilcox.net/archives/setting-up-a-secure-home-web-server-with-raspberry-pi/

2. An easy introduction to cryptography. Check out the video, you’ll be amazed!
https://www.crypto101.io/

3. A VPN service with free accounts:
https://proxpn.com/

I also have been using nginx as a reverse proxy and find it works really well but I think there is more that needs to be done. I’m not sure if an attacker gains access to your Pi what else on your network could be vulnerable.

I’m also looking into using Tor:
https://www.torproject.org/
It runs on the Pi. The only cost is allowing some of your internet bandwidth to be used as part of the tor network. The amount used is controllable.

Dan

[nayr]

nginx with port 80 disabled and this SSL config and certs from your own private CA.. careful to setup your server certs for nginx, use the subjectAltName and put local hostnames and remote hostnames (if there different) all in the same certificate so nobody throws a hostname mismatch error. example: sprinklers sprinklers.local myhome.dynip.org

ssl_verify_client required;

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers  HIGH:!aNULL:!MD5:!DSS:!RC4;

ssl_prefer_server_ciphers on;

You use apple’s enterprise iPhone configuration utility to distribute client certificates to apple devices.. you really only need just one but you can create em for each device and revoke any later that get stolen instead of re-keying everything.

Then apt-get install firehol firewall and edit firehol.conf to this:

interface eth0 internet

server ssh accept

server https accept

client all  accept

test it out by running: firehole enable and if all works out edit /etc/default/firehol to enable the firewall permanently (make sure u can ssh in at least, a remote portscan is the best to verify only SSH/HTTPS are open). I’d also suggest at this point putting /var/log in a tmpfs filesystem because the firewall may generate a bit of logs; a Pi/Bone really should be using a remote logging server for permanent logs to get the writes down.

Then you’ll configure nginx to proxy to localhost:8080 except for /mobile path which you’ll run php-fpm for the mobile app out of your user folder.. lookup how to do this im not doing it all for you heh.
Also change your SSHD configuration to only allow SSH keys or at least install fail2ban

When all is said and done your OSPi/OSBo will be about as secure as you can get it from network intrusion; the weakest point will be how secure you keep your CA and the devices them selves with the client certificates.

With this setup any device with a client certificate installed will be able to connect to the sprinklers; everyone else will be rejected.. for most devices once you connect the first time and select the cert you will never be prompted or bothered again. This really cant be brute forced and unless some very critical vurnability pops up in TLS or SSH there’s no other way in; also no fighting with your wife about using your pets name for her password.

This setup would be entirely safe to expose to the internet through a portforward, putting it in a DMZ, or even giving it a static routable IP, you could obscure the HTTPS port externally by running it on a random high port > 20k outside of your router if doing a portforward, but obfuscation is mostly theatre imho, run it on 443 if you dont want to be stuck across country; hear of a deep freeze back home on facebook and not being able to remember the damn port # to shutdown sprinklers.

*edit*
For additional hardening put /var/apt/cache in a tmpfs and configure automatic updates for your operating system, that’ll keep security updates applied and not wear out your storage: https://wiki.debian.org/UnattendedUpgrades

Also if your going through all this trouble to create and distribute client certs you might as well run radius somewhere (perhaps on your Opensprinkler even) and reconfigure your WiFi in the only secure method left; with Enterprise WPA & EAP-TLS.

[nayr]

redux, simpler if your not willing to do the Client TLS cert thing.. i know not everyone will be so you can also do this which is simpler and nearly as effective, still secure enough to expose to the internet. If your up to the challenge tho give my above suggestion a try.

Use apache reverse proxy on 443 to localhost:8080, install firehol and fail2ban like above and edit fail2ban’s filter.conf and enable the default apache rules which should drop anyone who tries to brute force your web server.
You can also use nginx which I would recommend but you’ll have to find the nginx-auth filters online and setup fail2ban manually.. Lighttpd will not work as it does not log failed auth attempts 🙄

Then use the apache auth mechanism to password protect your webroot and use damn strong passwords…

Also test out fail2ban make sure your sprinklers drop all your packets for 5mins or so if you enter too many incorrect passwords..

The weakest point of this setup will be your username/password and maybe a man in the middle attack if your cert isn’t trusted, brute forcing will be effectively stopped when the OSpi/OSBo stops responding.

You have to have your own external domain but you can get Trusted Signed SSL Certificates for Free Personal use form http://StartSSL.com, I’d recommend opening port 80 and running a redirect rule to your https FQDN (search Apache force SSL) this way you can type its local hostname into the browser and it will automatically connect you to the https://fqdn without a host error.. For dynamic IP users what you can do is setup sprinklers.yourdomain.com to be a cname for yourhome.dynip.org or something like that and get the cert for sprinklers.yourdomain.com

Here is an apache config to get you started, you’ll have to create the htpasswd file and certificate files, also correct the path to the mobile controller.

ServerName OpenSprinkler

ProxyRequests Off

ProxyVia Off



Order deny,allow

Allow from all



ProxyPass / http://localhost:8080

ProxyPassReverse / http://localhost:8080



Order allow,deny

Allow from all

AuthName "Access Restricted"

AuthType Basic

AuthUserFile "/etc/apache2/.htpasswd"

Require valid-user



Alias /mobile /home/username/OpenSprinkler-Controller

LogLevel info

CustomLog /var/log/apache2/access.log combined

ErrorLog /var/log/apache2/error.log

SSLEngine on

SSLCertificateFile /etc/apache2/server.crt

SSLCertificateKeyFile /etc/apache2/server.key

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

By the way I am a Security Engineer by trade 😉

If your wanting to use the native mobile app I’d suggest installing a VPN setup because while it might work over a https connection I doubt it’ll work with username:password@hostname:443, at least I havent tested it.. yet 🙂

[Samer]

Just to add onto the last solution offered. You can stack the HTTPS authentication with two factor methods. Google offers their 2factor authentication as a plugin for Apache: https://code.google.com/p/google-authenticator-apache-module/

It uses the basic auth input however the password is the 2 factor pass. Two make it truly 2 factor, the code goes after your password in the same input.

Also it would work with user:pass@host:port 🙂

[nayr]

Well I just setup Nginx exactly as I described, there were a few more steps so I documented it all @ http://rayshobby.net/mediawiki/index.php?title=Secure_Remote_Access

[attachment=0:yitwat2f]Screenshot 2014-04-06 16.00.54.png[/attachment:yitwat2f]

$ nmap sprinklers -PnA



Starting Nmap 6.40-2 ( http://nmap.org ) at 2014-04-06 16:14 MDT

Nmap scan report for sprinklers (192.168.4.70)

Host is up (0.0026s latency).

rDNS record for 192.168.4.70: sprinklers.galileo.nayr.net

Not shown: 997 filtered ports

PORT    STATE SERVICE

22/tcp  open  ssh

80/tcp  open  http

443/tcp open  https



Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

I’ll be working more on that; its ugly and just a first draft full of notes.

I tested the iPhone app and unfortunately it would not connect with an ip of: username:password@hostname:443, perhaps its possible to get it to work but I think were going to need Sal’s assistance.

[Samer]

I found out why the username:password combination doesn’t work and will add that to the list of things to fix for the upcoming release. Thanks for the heads up!

[nayr]

any chance of getting an option for the hosted controller that makes it easy to disable login all together? Once you have locked it down like this it seems kinda painful to keep entering passwords for little reason.

Getting the mobile apps to work behind a password protected proxy will be great.. I’ll try Client TLS tomorrow when I can get some time on the phone, if its using the safari backend it has no problem logging into my client-tls authenticated web servers.

[Samer]

The JS mobile app has no authentication scheme. So no worries on that end

[Dan in CA]

Fantastic!!

Thanks to nayr for providing the expertise on a really secure setup and documenting it on the wiki. This kind of contribution is what makes this project so very rewarding.

Dan

[Samer]

@nayr I did more testing and the username:password@host:port does in fact work. Can you explain your setup more? Is it the one described above? Which app are you using where?

Update: I think it is in fact SSL related since I have hardcoded http:// (because the app is served from file:// so relative path’s don’t work). I will see what I can do to remedy this.

[nayr]

I will test again and report back; IIRC I was using nginx wssl & password auth like my wiki.. I’ll try it w/out SSL and see if I have any better luck.

[pierantonio]

Hello nayr, i followed your guide nginx for secure ospi, but when i enable the firehol i don’t access to the web page , i use the interval program on ports 8080
What’s wrong?
i have a domain with dyndns.org, in my router the ports 8080 is open because the port 80 is busy for another service.
if i disable the firehol works perfectly but did not warn of any ssl certs? is correct? i use safari, but is the same with firefox
I’m a newbie in security, sorry for my questions..
can you help me?
thanks bye..

[nayr]

can you connect to https directly? port 80 in my example just redirects to https on port 443 and nothing else.

You want to port forward 443 to your OpenSprinkler and connect to https://yourdomain.dyndns.org

Firehol shuts down access on port 8080 and forces you to use 443 w/SSL, if you trust your local network (wifi?) and only forward https to the OSpi/OSbo that is optional.. if its in a DMZ then you want to enable firehol.

Also with the new heartbleed bug everyone has heard about make sure you update from the repos, as you can see nothing is invincible but now that its public large botnets are looking for it.

[pierantonio]

Hello nayr, thanks for you reply.
Now at the moment i had set the firehol.conf and the port 8080 is open and also the 443.
In my case i use dyndns.org, my router forward the port 8080 to Ospi.
I have now also open on the router the port 443 but I have not tried it yet if it works.
I created the 3 certificates and put in their folders, but i don’t understand if it is correct.
certificates must be created in a special way? i used the command line for create with command openssl genrsa – des3 ecc..
my Ospi is connected by ethernet cable, not wifi.
thanks again, bye

[Michael]

@alanwbaker wrote:

It all comes down to whom you trust. And the truly paranoid (like me 😉 ) wonder whether the proprietary VPN software is secure. Vendors always say, “Trust me”, but (for example) the Asus RT-N66U is a poster child for unearned trust. See http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/.

Thanks Alan… Interesting article but I was specifically referring to, and use the standard PPTP VPN service in the router. The vulnerability referenced here is related to their proprietary AICloud service where you turn a locally connected USB drive on the router into internet accessible storage with their service. I don’t use that and is not applicable to the VPN server or any OSPI implementation. A lot of routers have the PPTP VPN server built-in along with any Windows PC or you can install it on the RPi like described in this thread.

[Samer]

@nayr I just finished adding SSL support into my mobile app and it also supports HTTP basic authorization. This should work perfectly with your proxy setup. I am using it with an Apache ProxyPass directive over SSL and Basic auth and it is working great!

The 401 status code cannot be detected on async AJAX calls with a timeout (because on mobile the authorization box is hidden but open until the timeout hits). Therefore, automatic redirection to authorization prompt is impossible. User may type user:pass@ip:port in the IP box however the user/pass becomes unnecessarily exposed. So I added a collapsible box with advanced options showing ssl and authorization (independent checkboxes). If you specify use authorization, a follow-up popup will show for the credentials.

I will post back here once the app’s are in the respective app stores with these features. Thanks for the motivation to secure things a bit!

[Samer]

The apps supporting the above features are out now and I am wondering if anyone has had any success connecting over a proxy using SSL and Basic Auth with the mobile app.

Thanks!

[nayr]

I just got a new droid today and tested that SSL + Auth does work wonderfully with Nginx sitting infront of the python interval program.. havent tried iphone; my wife dont let me mess with it often 😆

[Samer]

Awesome, thank you for letting me know!

Update: Haha, well don’t bother until the next version (likely this weekend) because the one now uses user:pass@ip:port in the request however 1.0.12 (current Android version) just puts it in the header. This prevents double requests (first one denied) and multiplied by 5 caused timeout issues on iOS. This only happened on cellular networks but it was annoying until I figured it out.

[Author]

Posts