Home Automation Domotica Forum Europe, Bwired Forum

Since a few weeks some unknown people try to logon on my Homeseer page (and maybe more, what I can't see).
Homeseer and the ip-camera's are secured with usernames and passwords ofcourse.
Only the neccessary ports (SSL) and some ports for real time camera viewing are open in de router.
It don't feel right, so I'm searching (this forum) for webserver software or something like this.

I don't want to gave access for a small amount of ip-addresses.... I read some stuff about htaccess files and apache software.

What for web/loginserver security software do you have installed or what are other possiblities to have more security?

I think it will be complicated to set up a different webserver for Homeseer.
What about a VPN tunnel to your Fritzbox?
John

Or move you web port to something like 35697. The attacker will have a hard time finding that.

Hmm, I thought I should be easier to install some webserver and behind this 'wall' some other software who is reachable from the WAN.
Maybe the VPN is the easiest way.
I'll look further.

Rutger, it seems to me that what you need is a better firewall. This would enable you to define much more sophisticated rules to deal with incoming traffic, and even better to log attempts to access your network and deal with them appropriately. An example would be to detect port scans and ban the originating IP address altogether. Or, if it's an address within our jurisdiction, notify the authorities.

You can also try to put an apache webserver in front of it and make use of mod proxy to proxy requests to your homeseer machine. You can then configure on the apache webserver the necessary security. HTTP basic authentication in combination with an SSL connection (startssl can provide you with a free ssl certificate). Use a named virtual host in apache so only a certain domain like "homeseersecretserver.yourdomain.com" is the entrance to your homeseer machine.

Hopefully I gave you a few pointers.

First question yourself, 'do i need my domotica server to be connected directly to the internet'
If yes then does it need also inbound traffic. Often it's not. It's only the case when you want to control your home while not at home.
So you have to be sure that it's you and only that's calling in.
Things to control this are.
vpn's
Port forwarding on your firewall.
Allowing only known ip addresses and mac numbers
SSL encryption.
Time frames and access windows. (droping the connection after a minute)
Prevent giving commands to your homesystem via email, phone commands, twitter, skype and such.
Just to name a few.

If you decide to keep your server publicly available after carefully looking into the things mentioned above, you have several options:

- IPSEC VPN, take some extra work to setup on the remote location so not handy when using several computers
- SSL VPN, extra work on the home side but is easy on the client configuration
- changing portnumber will not change the risk or enforce security, it will only help you keep out of the spotlight of regular port 80 and 443 scanners
- using a firewall, restricting source IPadresses. You can use a software firewall on windows, but most ADSL routers support more specific firewalling. Juniper/Netscreen can even insert an authentication step for HTTP pages
- I'm not sure how the homeseer webserver works, but you might also be able to use clientside certificates (your client will have to present a certificate to authenticate instead of username/password).

I personally use an IPSEC VPN on my iPhone and don't use any webserver which is publicly available.

Thanks for all ideas. A lot of stuff to think about. At the moment ip address blocking is the best option. VPN is not always an option, especially at work. After appr. 6 months VPN is an option with my new phone.