At least after you have done the first configurations in your FHEM interface you should also deal with the topic of security. It is really annoying if you lose the laboriously collected and neatly programmed functions of your SmartHome system. Be it through data loss or because other people have gained unauthorized access to your system.
Especially the potential access by unauthorized persons should not be neglected. In the worst case, this access can do more mischief than just turning a lamp on and off.
How to protect your FHEM instance and protect it against data loss is explained in the following article.
Hints for our lovely english readers: Basically, many of the articles on Nerdiy.de are translations from the original german articles. Therefore, it may happen here and there that some illustrations are not available in english and that some translations are weird/strange/full of mistakes or generally totaly wrong. So if you find some obvious (or also not obvious) mistakes don't hesitate to leave us a hint about that in the comment section.
Also please don't get confused, that instead of a "dot" often a "comma" is used as decimal separator. 🙂
- 1 Safety instructions
- 2 Affiliate links / advertising links
- 3 Requirements
- 4 Change any existing (default) access passwords
- 5 Create HTACCESS user login
- 6 Encrypt a connection with an SSL certificate
- 7 Set automatic backup before each update
- 8 Secure Telnet access
- 9 FHEM backup
- 10 Additional information
- 11 Have fun with the project
I know the following hints are always a bit annoying and seem unnecessary. But unfortunately, many people who knew it "better" from carelessness lost their eyes, fingers or other things or hurt themselves. In comparison, a loss of data is almost not worth mentioning, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Even the coolest project is worth no injury or other annoyance. https://www.nerdiy.de/en/sicherheitshinweise/
The links to online shops listed here are so-called affiliate links. If you click on such an affiliate link and shop via this link, Nerdiy.de receives a commission from the online shop or provider concerned. The price doesn't change for you. If you do your purchases via these links, you will support Nerdiy.de in being able to offer further useful projects in the future. 🙂
Before you start with this article, you should have prepared the RaspberryPi so far that it can be reached via the network and controlled by SSH.
The following three articles describe what to do to prepare the RaspberryPi:
RaspberryPi – Setting up for Nerdiys!
RaspberryPi – The first configuration
RaspberryPi – Controlling the RaspberryPi via SSH
FHEM – Installation on the RaspberryPi
In the following list you will find all the parts you need to implement this article.
Change any existing (default) access passwords
The most important – because most exploited – security precaution is to change any existing default passwords. For example, if you are using a host hardware for the FHEM server as a RaspberryPi, it is important that you change its default login information. Namely, the standard login data “pi” and “raspberry” are known to every halfway technology-interested person. So if you have just read your RaspberryPi login details, it’s time to change them.
How to change this is described in the article RaspberryPi – The first configuration.
Create HTACCESS user login
The next security against unauthorized access to your FHEM interface is the access protection via HTACCESS. Once this is set up, you will be prompted to enter the associated login data for each access attempt to your FHEM instance.
To set up this access protection, you must first encode your username/password combination via base64. This works on Linux with a built-in command. To encode your combination of username and password you simply need to enter the following command in the console. Before you have to replace of course tollerBenutzername(=greatUsername) by your username and tollesPasswort(=greatPassword) by your password.
echo -n tollerBenutzername:tollesPasswort | base64
Without Linux, an online Base64 encoder like www.base64online.com will help. Just enter your username/password combination according to the template username:password and click on code (DECODE).
To activate the login with the login data you have to do the following.
define allowedWEB allowed
Now you have to link your copied login data with this module by setting a corresponding attribute. This is done with the following command.
attr allowedWEB basicAuth dG9sbGVyQmVudXR6ZXJuYW1lOnRvbGxlc1Bhc3N3b3J0
attr allowedWEB validFor WEB,WEBphone,WEBtablet
That’s it already. Restart FHEM again by inserting the following command.
Encrypt a connection with an SSL certificate
Now that you have secured access to your FHEM interface, the next security precaution must be taken to ensure that your communication with it can neither be intercepted nor manipulated. For this purpose, an SSL encryption of the communication data is now established. To do this, first create an SSL certificate and then connect this to FHEM.
sudo apt-get install libio-socket-ssl-perl && sudo apt-get install libwww-perl
sudo mkdir certs
sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem
sudo chmod 644 /opt/fhem/certs/*.pem
sudo chmod 711 /opt/fhem/certs
attr WEB HTTPS
If you have restarted your FHEM server you can almost access it as usual. The only difference is that you now have to prepend an HTTPS to the address of your FHEM server.
Set automatic backup before each update
For the most part you are well protected against the dangers of evil people and machines. Another useful setting is the automatic backups before each update of the FHEM environment. So you are also protected in case of a faulty update and do not have to manually restore the entire configuration.
attr global updateInBackground 1
attr global backup_before_update 1
Secure Telnet access
Among other things, FHEM offers the possibility to execute commands via Telnet connection. This is not installed/activated by default. But if you use this feature it is important that you also protect the access by password. This is done with the following command. Of course you have to replace the part tollesPasswort (=”greatPassword) with the password you have chosen. Possibly. you have to adjust the part “telnetPort” here too. This is the name of your configured Telnet module and should match the name you use.
attr telnetPort password tollesPasswort
For the most part you are well protected against the dangers of evil people and machines. But now you have to arm yourself against the biggest Enemy: your own dizziness. Especially when trying out and around, it can happen quickly that you configure the just-well-functioning system wrong. However, a system that does not start up quickly recovers if you are prepared. Assuming you have a current backup you can easily play back the last working state.
define regularBackup at *03:00:00 backup
This setting creates a backup every day at 3:00 am and places it in the /opt/fhem/backup folder. Of course, the files stored here should also be synchronized with another drive. Only then they are safe in case of an error with the drive or SD card.
Have fun with the project
I hope everything worked as described. If not or you have any other questions or suggestions, please let me know in the comments. Also, ideas for new projects are always welcome. 🙂
P.S. Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you appreciate it that I share these information with you, I would be happy about a small donation to the coffee box. 🙂