[nayr]

im a freaking moron; found it.. Rainsense: no rain on the first damn page… nevermind 🙄

*edit* Turns out my sensor was faulty; Ive learned this lesson before but it never sticks.. always bench test it before climbing around and routing wires 😉

[nayr]

Well I just setup Nginx exactly as I described, there were a few more steps so I documented it all @ http://rayshobby.net/mediawiki/index.php?title=Secure_Remote_Access

[attachment=0:yitwat2f]Screenshot 2014-04-06 16.00.54.png[/attachment:yitwat2f]

$ nmap sprinklers -PnA



Starting Nmap 6.40-2 ( http://nmap.org ) at 2014-04-06 16:14 MDT

Nmap scan report for sprinklers (192.168.4.70)

Host is up (0.0026s latency).

rDNS record for 192.168.4.70: sprinklers.galileo.nayr.net

Not shown: 997 filtered ports

PORT    STATE SERVICE

22/tcp  open  ssh

80/tcp  open  http

443/tcp open  https



Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

I’ll be working more on that; its ugly and just a first draft full of notes.

I tested the iPhone app and unfortunately it would not connect with an ip of: username:password@hostname:443, perhaps its possible to get it to work but I think were going to need Sal’s assistance.

[nayr]

i’ll do it in dan’s interval plugin-api then thats fine, it’ll definitely be easier to maintain since your trying to merge the Native/Mobile code.

[nayr]

might take your microcontroller out, power up the OSboard and test that there is power on the other side of the triacs, if so it could be a signaling problem.. Check the Pi next all by its self and make sure its outputting a signal on the GPIO pins for the OpenSprinkler.

If you got no power on the other side of the triac then keep trying to trace it further up the schematics to see if there is a bad component on your OSBoard

[nayr]

Ive been thinking of cooking up a set of boards based upon your design, expanding some of the functionality.. and this is what Ive planned to change so far, but if you want to implement any of these it then go for it..

SuperCAP instead of Battery for RTC so it never needs replacing.
A more powerful 5v supply (2A perhaps) and a set of headers available for 5v out, can then solder jumper wire with a barrel plug onto it and have it power a small usb hub.. this will help people with powerful wifi usb chips and/or those who want to connect several usb devices without any reliability/stability issues.
Header for a TPM36 Temperature Sensor on the board; mebe included so we can monitor system temperature if installed in a Greenhouse etc.
A PTC Fuse instead.
Signal Converter so we can plug some analogue sensors in and not worry about the input voltage.
Circuitry to cutoff the external 5v rail to the Microcontroller if its powered externally/usb so people can troubleshot bad power supplies.
AC in with Ground, Microcontroller ground tied in so any ESD coming in the sprinkler control lines does not try to go out ethernet/usb, also help cut down on RF interference.. my Elk power supply has a ground it’d be nice to use.
I also want to add a few serial ports for AtlasScientic Sensor stamps: https://www.atlas-scientific.com/embedded.html but this is more for my own project where I am attempting to maintain PH and TDS automatically and getting it all into the footprint might mean I sacrifice some other circuitry.. but this could also be done with a via USB conveniently if I can power a hub from the board. (Bluetooth or FT232)

Thanks ray for the project; I wish I had found it before I had a year of circuit designs and prototypes made up :geek:

[nayr]

also wish list for features; I dug through your code and it looks like you could implement it very easy; I was planing on doing it with the new python api but it’d be better to have it in the gui and you already have the current temperature available when you do a weather check.

I live in Colorado and we have random snow storms all the way into deep spring; I have to be prepared to bring stuff in past mothers day.. What would be very nice is a configurable minimum temperature to check for a weather delay; for example if its 3am and internet weather says its under 40 degrees then trigger a delay (which I have set to 17h) and try again in the evening and its been removed because its warmer than 40 degrees.. Weather can be sunny and clear but still near or below freezing. So far this week it worked great when the forecast said snow; was quite pleased with how smart it is.

I am using a freeze sensor but thats kinda hardset and I like to think of it as redundancy just incase internet is down or the sensor fails… My whole story behind getting this was last September I was in oregon when an Ice storm hit Metro Denver and I had to call my house sitter over in the ice storm and have him shut off sprinklers… I’d like to avoid that automatically if possible, it’ll help those w/out freeze sensors and the redundancy will keep my mind at ease when im a thousand miles away without internet access.

[nayr]

redux, simpler if your not willing to do the Client TLS cert thing.. i know not everyone will be so you can also do this which is simpler and nearly as effective, still secure enough to expose to the internet. If your up to the challenge tho give my above suggestion a try.

Use apache reverse proxy on 443 to localhost:8080, install firehol and fail2ban like above and edit fail2ban’s filter.conf and enable the default apache rules which should drop anyone who tries to brute force your web server.
You can also use nginx which I would recommend but you’ll have to find the nginx-auth filters online and setup fail2ban manually.. Lighttpd will not work as it does not log failed auth attempts 🙄

Then use the apache auth mechanism to password protect your webroot and use damn strong passwords…

Also test out fail2ban make sure your sprinklers drop all your packets for 5mins or so if you enter too many incorrect passwords..

The weakest point of this setup will be your username/password and maybe a man in the middle attack if your cert isn’t trusted, brute forcing will be effectively stopped when the OSpi/OSBo stops responding.

You have to have your own external domain but you can get Trusted Signed SSL Certificates for Free Personal use form http://StartSSL.com, I’d recommend opening port 80 and running a redirect rule to your https FQDN (search Apache force SSL) this way you can type its local hostname into the browser and it will automatically connect you to the https://fqdn without a host error.. For dynamic IP users what you can do is setup sprinklers.yourdomain.com to be a cname for yourhome.dynip.org or something like that and get the cert for sprinklers.yourdomain.com

Here is an apache config to get you started, you’ll have to create the htpasswd file and certificate files, also correct the path to the mobile controller.

ServerName OpenSprinkler

ProxyRequests Off

ProxyVia Off



Order deny,allow

Allow from all



ProxyPass / http://localhost:8080

ProxyPassReverse / http://localhost:8080



Order allow,deny

Allow from all

AuthName "Access Restricted"

AuthType Basic

AuthUserFile "/etc/apache2/.htpasswd"

Require valid-user



Alias /mobile /home/username/OpenSprinkler-Controller

LogLevel info

CustomLog /var/log/apache2/access.log combined

ErrorLog /var/log/apache2/error.log

SSLEngine on

SSLCertificateFile /etc/apache2/server.crt

SSLCertificateKeyFile /etc/apache2/server.key

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT

By the way I am a Security Engineer by trade 😉

If your wanting to use the native mobile app I’d suggest installing a VPN setup because while it might work over a https connection I doubt it’ll work with username:password@hostname:443, at least I havent tested it.. yet 🙂

[nayr]

thanks; it is pretty neat to have a native app.. tho I must say I am a big fan of running the web version locally w/the controller because it works on my Blackberry (the iPhone is my wife’s) and looks great embedded into my home automation web-interface.

[nayr]

thanks dan; this is exactly what I was needing for doing some additional automation/timing alongside the sprinklers.. from a glance it looks like a piece of cake now.

the adjustment plugin sounds really awesome; I’ll definitely check it out.

[nayr]

nginx with port 80 disabled and this SSL config and certs from your own private CA.. careful to setup your server certs for nginx, use the subjectAltName and put local hostnames and remote hostnames (if there different) all in the same certificate so nobody throws a hostname mismatch error. example: sprinklers sprinklers.local myhome.dynip.org

ssl_verify_client required;

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers  HIGH:!aNULL:!MD5:!DSS:!RC4;

ssl_prefer_server_ciphers on;

You use apple’s enterprise iPhone configuration utility to distribute client certificates to apple devices.. you really only need just one but you can create em for each device and revoke any later that get stolen instead of re-keying everything.

Then apt-get install firehol firewall and edit firehol.conf to this:

interface eth0 internet

server ssh accept

server https accept

client all  accept

test it out by running: firehole enable and if all works out edit /etc/default/firehol to enable the firewall permanently (make sure u can ssh in at least, a remote portscan is the best to verify only SSH/HTTPS are open). I’d also suggest at this point putting /var/log in a tmpfs filesystem because the firewall may generate a bit of logs; a Pi/Bone really should be using a remote logging server for permanent logs to get the writes down.

Then you’ll configure nginx to proxy to localhost:8080 except for /mobile path which you’ll run php-fpm for the mobile app out of your user folder.. lookup how to do this im not doing it all for you heh.
Also change your SSHD configuration to only allow SSH keys or at least install fail2ban

When all is said and done your OSPi/OSBo will be about as secure as you can get it from network intrusion; the weakest point will be how secure you keep your CA and the devices them selves with the client certificates.

With this setup any device with a client certificate installed will be able to connect to the sprinklers; everyone else will be rejected.. for most devices once you connect the first time and select the cert you will never be prompted or bothered again. This really cant be brute forced and unless some very critical vurnability pops up in TLS or SSH there’s no other way in; also no fighting with your wife about using your pets name for her password.

This setup would be entirely safe to expose to the internet through a portforward, putting it in a DMZ, or even giving it a static routable IP, you could obscure the HTTPS port externally by running it on a random high port > 20k outside of your router if doing a portforward, but obfuscation is mostly theatre imho, run it on 443 if you dont want to be stuck across country; hear of a deep freeze back home on facebook and not being able to remember the damn port # to shutdown sprinklers.

*edit*
For additional hardening put /var/apt/cache in a tmpfs and configure automatic updates for your operating system, that’ll keep security updates applied and not wear out your storage: https://wiki.debian.org/UnattendedUpgrades

Also if your going through all this trouble to create and distribute client certs you might as well run radius somewhere (perhaps on your Opensprinkler even) and reconfigure your WiFi in the only secure method left; with Enterprise WPA & EAP-TLS.

[nayr]

this is an IPhone 4S running IOS 6.x I havent updated it to 7 yet… it was on every page; it’d stay the same width as vertical and not resize.

you might try a simulator for this setup see if its because im on a dinosaur in apple world heh.

[nayr]

well today about an hour before my watering schedule went off I went out and yanked power to the beagle and removed ethernet; then 50mins later I plugged the beagle back in leaving ethernet disconnected and the sprinklers turned on right on time.

I’d say the RTC works just fine; my only suggestion is look at replacing the battery with a supercap.. a big supercap should keep time for at least a week and unlike a battery it will handle all temperature extremes and will still be running strong in 10 years.. it wont last the winter w/out power but do you really want to start in spring with a weak battery? A Supercap is also cheaper than a brand name lithium CR battery.

Edit, another tip: add: allow-hotplug eth0 to your /etc/network/interfaces so you dont have to reboot when u plug the network back in 🙂

[nayr]

messing with the iPhone app today and I noticed it does not resize the window when you rotate your device..

[nayr]

just tried the new iPhone app against my OSBo and it worked fine, curious how does your auto-detect work?

[nayr]

if you want to be truly paranoid, I use another beagle with a static IP and Nginx web server to reverse proxy OpenSprinkler externally over SSL and then use the same TLS Client certificates I use for Wired/WiFi authentication (EAP-TLS) to authenticate with the web server and allow my home automation interface to load; which includes OpenSprinkler.. now all my devices silently authenticate regardless if there home or away without any extra setup.. no password prompts and no brute forcing; you got to steal my client cert to have a shot.

Might add the above solution is Wife approved since she dont even know whats going on, but she did ask me.. “Our cameras have passwords on them right!?” when she she noticed they loaded without a prompt.

OpenSprinkler (Bone) has a local firewall running that only responds to my Automation Server; without knocking my automation server out and replacing it with a fake, which will throw errors everywhere, there is no way around the cert auth locally.. This is about as secure as you could hope to get OpenSprinkler.. I guess I could run SSL on the open sprinkler and do Client TLS auth on the proxy side too but I am not too worried about physical attack.. if your in my garage I got bigger problems than hacking my sprinklers.. my automation server is in the most secure location in the house and always locked in a cabinet in a locked server room, all switch ports require TLS auth or put you on free wifi network… you wanna start getting paranoid here or what?

but setting up a VPN is much easier; and if you cant trust an open source VPN implementation you might as well unplug your internet and toss your wireless access points in the trash.

[nayr]

Messing about it seems there’s 2 RTC’s on the OSBo, there is a built on one that I am not sure the details on but when you load the OpenSprinkler one it comes up as /dev/rtc1, as a result you will have to manually tell hwclock to use the OSBo RTC with the –rtc /dev/rtc1 switch.

[32426.321034] rtc-ds1307 1-0068: SET TIME!

[32426.339351] rtc-ds1307 1-0068: rtc core: registered ds1307 as rtc1

[32426.362582] rtc-ds1307 1-0068: 56 bytes nvram

[32426.376331] i2c i2c-1: new_device: Instantiated device ds1307 at 0x68

here is my /etc/rc.local, it tries to set time via internet and if that fails it loads time from RTC.

echo ds1307 0x68 > /sys/class/i2c-adapter/i2c-1/new_device

ntpdate -b -s -u pool.ntp.org

if [ $? -ne 0 ];then

echo Setting system time from OSBo RTC

hwclock --rtc /dev/rtc1 -s

hwclock --rtc /dev/rtc0 -w

else

echo Updating Internet time on OSBo RTC

hwclock --rtc /dev/rtc1 -w

fi

I went ahead and created us beagle users a setup page on the wiki: http://rayshobby.net/mediawiki/index.php?title=Set_Up_BBB

[nayr]

a multimeter set to VAC to check for voltage across COM and the station that is on is how you test the unit is switching.

did you have your system winterized? have you gone through opened all the valves and turned the water back on? It takes a several mins to refill my lines every spring before enough pressure builds to push the heads up and theres several valves that need opened and a few that need closed.. just booting the sprinkler back up in the spring usually isint enough.

[nayr]

Missing a Python Library; following these instructions now:
http://learn.adafruit.com/setting-up-io-python-library-on-beaglebone-black/installation-on-ubuntu

*edit*
Yep that was it; working great now… 😀

[nayr]

# python ospi.py

No GPIO module was loaded

No GPIO module was loaded

Starting timing loop



http://0.0.0.0:8080/

[nayr]

x2 for VPN, it also makes open wireless networks much more secure and you can bypass hotspot content filtering…

[nayr]

do I need to load a module or something for GPIO? How exactly does it detect a beagle? I was seeing errors in the interval program about some raspi program not found.

I got everything in today, wired it all up but I am not getting any switching… when I turn all stations on there is 0V AC between COM and any station.

26VAC going in from an Elk-TRG2440

[nayr]

Trying out the iOS app, says: For OSPi and OSBo users, the mobile_api plugin is required but I cannot find this anywhere.. and it don seem to want to connect to the interval-pi so I’m thinking I need to install it?

[nayr]

ah just what I was looking for thanks..

seems nothing special you done to the ubuntu image other than preload your test software and the interval/gcal programs?

Ive installed watchdog, ntpd, replaced apache w/lighttpd, added ‘rtc-ds1307’ to modules and added the following to rc.local

# Set Date from Internet and if fails load RTC

ntpdate -b -s -u utcnist.colorado.edu

if [ $? -ne 0 ];then

hwclock -s

echo Setting system time from RTC

else

hwclock -w

echo Writing internet time to RTC

fi

I just got the interval program installed and the mobile gui running in lighttpd so I am ready to roll come Tuesday when the mailman drops off my OSbo, awesome.. thanks, hopefully I wont even need the test tools.

I also made /tmp, /var/log, and /var/run tmpfs file systems to save some writes.

-R

[Author]

Posts