HowTo: FHEM – Secure access to the configuration interface

At least after you have done the first configurations in your FHEM interface you should also deal with the topic of security. It is really annoying if you lose the laboriously collected and neatly programmed functions of your SmartHome system. Be it through data loss or because other people have gained unauthorized access to your system.

Especially the potential access by unauthorized persons should not be neglected. In the worst case, this access can do more mischief than just turning a lamp on and off.

How to protect your FHEM instance and protect it against data loss is explained in the following article.

Hints for our lovely english readers: Basically, many of the articles on Nerdiy.de are translations from the original german articles. Therefore, it may happen here and there that some illustrations are not available in english and that some translations are weird/strange/full of mistakes or generally totaly wrong. So if you find some obvious (or also not obvious) mistakes don't hesitate to leave us a hint about that in the comment section. 
Also please don't get confused, that instead of a "dot" often a "comma" is used as decimal separator. 🙂


Safety instructions

I know the following hints are always a bit annoying and seem unnecessary. But unfortunately, many people who knew it "better" from carelessness lost their eyes, fingers or other things or hurt themselves. In comparison, a loss of data is almost not worth mentioning, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Even the coolest project is worth no injury or other annoyance. https://www.nerdiy.de/sicherheitshinweise/


Requirements

Before you start with this article, you should have prepared the RaspberryPi so far that it can be reached via the network and controlled by SSH.

The following three articles describe what to do to prepare the RaspberryPi:
RaspberryPi – Setting up for Nerdiys!
RaspberryPi – The first configuration
RaspberryPi – Controlling the RaspberryPi via SSH
FHEM – Installation on the RaspberryPi

Required tools:
-none-

Required materials:

In the following list you will find all the parts you need to implement this article.


Change any existing (default) access passwords

The most important – because most exploited – security precaution is to change any existing default passwords. For example, if you are using a host hardware for the FHEM server as a RaspberryPi, it is important that you change its default login information. Namely, the standard login data “pi” and “raspberry” are known to every halfway technology-interested person. So if you have just read your RaspberryPi login details, it’s time to change them.

How to change this is described in the article RaspberryPi – The first configuration.


Create HTACCESS user login

The next security against unauthorized access to your FHEM interface is the access protection via HTACCESS. Once this is set up, you will be prompted to enter the associated login data for each access attempt to your FHEM instance.

To set up this access protection, you must first encode your username/password combination via base64. This works on Linux with a built-in command. To encode your combination of username and password you simply need to enter the following command in the console. Before you have to replace of course tollerBenutzername(=greatUsername) by your username and tollesPasswort(=greatPassword) by your password.

Enter the following command into the console of your RaspberryPi to encode your login data.
echo -n tollerBenutzername:tollesPasswort | base64
You will then receive a base64 encoded string of your login information. You should copy this to be able to use it later.

Without Linux, an online Base64 encoder like www.base64online.com will help. Just enter your username/password combination according to the template username:password and click on code (DECODE).

To activate the login with the login data you have to do the following.

First you have to create the module “allowedWEB” with the following command.
define allowedWEB allowed

Now you have to link your copied login data with this module by setting a corresponding attribute. This is done with the following command.

attr allowedWEB basicAuth dG9sbGVyQmVudXR6ZXJuYW1lOnRvbGxlc1Bhc3N3b3J0
In the last step you have to configure on which login-surfaces the login should be queried. In this case we activate the login request for “WEB”, “WEBPhone” and “WEBtablet” with the following command. If you have given other names for the login interfaces, of course this must be adapted accordingly.
attr allowedWEB validFor WEB,WEBphone,WEBtablet

That’s it already. Restart FHEM again by inserting the following command.

shutdown restart
Now you can test the login. Access the URL of your FHEM instance again. This time, a login window should appear asking you to enter the correct login information.
Now enter the previously defined username and password.
If you have entered the correct login data, you should be forwarded to the homepage of your FHEM instance. Your configuration interface is now protected by username and password.

Encrypt a connection with an SSL certificate

Now that you have secured access to your FHEM interface, the next security precaution must be taken to ensure that your communication with it can neither be intercepted nor manipulated. For this purpose, an SSL encryption of the communication data is now established. To do this, first create an SSL certificate and then connect this to FHEM.

To create the SSL certificate, you must first install two packages. Execute the following command.
sudo apt-get install libio-socket-ssl-perl && sudo apt-get install libwww-perl
During the installation of the packages, you may be asked if you agree that the installation will consume additional memory. Confirm this with a “J”(german) or “Y” and “Enter”.
After installing the packages, you can go to the folder of your FHEM installation with the following command.
cd /opt/fhem
The following command creates the folder “certs”, in which the certificates are created / saved.
sudo mkdir certs
Now switch to the folder “certs” just created.
cd /opt/fhem/certs
To create the SSL certificate, you need to run the following command.
sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem
Während das Zertifikat erstellt wird, werdet Ihr nach Details für dieses Zertifikat gefragt. Als erstes sollt Ihr hier zum Beispiel den CountryCode eingeben. Diese Eingaben müssen nicht der Wahrheit entsprechen. Ihr könnt Ihr also die korrekten Angeben machen oder… As the certificate is being created, you will be asked for details for that certificate. For example, you should start with entering the country code. These inputs do not have to be true. So you can of course give the correct information or …
… use three hyphens or other characters as placeholders as shown.
The following command sets the right file permissions for the certificate and …
sudo chmod 644 /opt/fhem/certs/*.pem
… the certificate folder.
sudo chmod 711 /opt/fhem/certs
In the last two steps you have to activate HTTPS for the WEB module …
attr WEB HTTPS
… and restart FHEM so that the changes are applied.
shutdown restart

If you have restarted your FHEM server you can almost access it as usual. The only difference is that you now have to prepend an HTTPS to the address of your FHEM server.

Since you are using a self-signed certificate, you will be warned and advised by almost all browsers. In the “normal” Internet, this could be an indication of a data leak. In that case, you do not have to worry about it. So you can avoid the warning. Therefore Click on “Erweitert”(=”Advanced”) …
… then click on “Weiter zu ….(unsicher)”(=”Continue to …. (unsafe)”) to bypass the warning and access your FHEM server.
If you have activated the user login, you will now be asked for the login data.
Without user login or with correct input of the login data you will then land as usual on your FHEM homepage.

Set automatic backup before each update

For the most part you are well protected against the dangers of evil people and machines. Another useful setting is the automatic backups before each update of the FHEM environment. So you are also protected in case of a faulty update and do not have to manually restore the entire configuration.

Enter the following commands into the command line of your FHEM instance.
attr global updateInBackground 1
attr global backup_before_update 1

Secure Telnet access

Among other things, FHEM offers the possibility to execute commands via Telnet connection. This is not installed/activated by default. But if you use this feature it is important that you also protect the access by password. This is done with the following command. Of course you have to replace the part tollesPasswort (=”greatPassword) with the password you have chosen. Possibly. you have to adjust the part “telnetPort” here too. This is the name of your configured Telnet module and should match the name you use.

attr telnetPort password tollesPasswort


FHEM backup

For the most part you are well protected against the dangers of evil people and machines. But now you have to arm yourself against the biggest Enemy: your own dizziness. Especially when trying out and around, it can happen quickly that you configure the just-well-functioning system wrong. However, a system that does not start up quickly recovers if you are prepared. Assuming you have a current backup you can easily play back the last working state.

define regularBackup at *03:00:00 backup

This setting creates a backup every day at 3:00 am and places it in the /opt/fhem/backup folder. Of course, the files stored here should also be synchronized with another drive. Only then they are safe in case of an error with the drive or SD card.


Additional information

https://de.wikipedia.org/wiki/Base64

https://wiki.fhem.de/wiki/Telnet


I hope everything worked as described. If not or you have any other questions or suggestions, please let me know in the comments. Also, ideas for new projects are always welcome. 🙂

Fab

P.S. Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you appreciate it that I share these information with you, I would be happy about a small donation to the coffee box. 🙂

Buy Me a Coffee at ko-fi.com

Leave a Reply

Your email address will not be published. Required fields are marked *