HowTo: FHEM - Securing access to the configuration interface

At the latest after you have made the first configurations in your FHEM interface, you should also deal with the topic of security. It's really annoying when you lose the laboriously compiled and neatly programmed functions of your SmartHome system. Be it due to data loss or because other people have gained unauthorized access to your system.

The potential access by unauthorized persons should not be neglected. In the worst case scenario, you can do more mischief with this access than just turning a lamp on and off.

How you can secure your FHEM instance and protect it against data loss is explained in the following article.


Safety instructions

I know the following notes are always kind of annoying and seem unnecessary. Unfortunately, many people who knew "better" have lost eyes, fingers or other things due to carelessness or injured themselves. Data loss is almost negligible in comparison, but even these can be really annoying. Therefore, please take five minutes to read the safety instructions. Because even the coolest project is not worth injury or other trouble.
https://www.nerdiy.de/sicherheitshinweise/

Affiliate links/advertising links

The links to online shops listed here are so-called affiliate links. If you click on such an affiliate link and make a purchase via this link, Nerdiy.de will receive a commission from the relevant online shop or provider. The price does not change for you. If you make your purchases via these links, you support Nerdiy.de in being able to offer other useful projects in the future. 🙂 


Requirements

Before you start with this article you should have prepared the RaspberryPi so that it is accessible via the network and controllable via SSH.

The following three articles describe what needs to be done to prepare the RaspberryPi:
RaspberryPi – setup for nerdiys!
RaspberryPi – The first configuration!
RaspberryPi – Control the RaspberryPi via SSH
FHEM – Installation on the RaspberryPi

Tools needed:
-no-

Materials needed:

In the following list you will find all the parts you need to implement this article.


Changing any existing (default) access passwords

Die wichtigste – weil am meisten ausgenutzte – Sicherheitsvorkehrung ist es eventuell vorhandene Standardpasswörter zu ändern. Verwendet Ihr als Host-Hardware für den FHEM-Server zum Beispiel einen RaspberryPi ist es wichtig, dass Ihr dessen Standard-Login-Daten ändert. Die Standard-Login-Daten „pi“ und „raspberry“ sind nämlich jeder halbwegs technikinteressierten Person bekannt. Solltet Ihr also hier gerade Eure RaspberryPi-Login-Daten gelesen haben, ist es höchste Zeit diese zu ändern.

How you change this is in the article RaspberryPi – The first configuration! described.


Create HTACCESS user login

The next security precaution against unauthorized access to your FHEM interface is access protection via HTACCESS. Once this has been set up, you will be asked to enter the relevant login details every time you attempt to access your FHEM instance.

In order to set up this access protection, you must first encode your username/password combination using base64. This works on Linux with a built-in command. To encode your combination of username and password, all you need to do is enter the following command into the console. Of course you have to beforehand great username through your username and great password replace with your password.

To encode your login data, enter the following command into the console of your Raspberry Pi.
echo -n greatusername:greatpassword | base64
You will then receive a string of your login data encoded in base64. You should copy this so you can use it later.

Without Linux, an online Base64 encoder like www.base64online.com . Simply enter your combination of username and password according to the template Username Password and click on encode(DECODE).

In order to activate the login with the login data you have set, you must do the following.

Zunächst müsst Ihr das Modul „allowedWEB“ mit folgendem Befehl erstellen.
define allowedWEB allowed

Now you have to link your copied login data with this module by setting a corresponding attribute. This can be done with the following command.

attr allowedWEB basicAuth dG9sbGVyQmVudXR6ZXJuYW1lOnRvbGxlc1Bhc3N3b3J0
Im letzten Schritt müsst Ihr noch konfigurieren auf welchen Login-Oberflächen der Login abgefragt werden soll. In diesem Fall aktivieren wir die Login-Abfrage für „WEB“, „WEBPhone“ und „WEBtablet“ mit folgendem Befehl. Habt Ihr für die Login-Oberflächen andere Namen vergeben, muss dieser natürlich entsprechend angepasst werden.
attr allowedWEB validFor WEB,WEBphone,WEBtablet

That's it already. Now restart FHEM again by entering the following command

shutdown restart
Now you can test the login. To do this, access the URL of your FHEM instance again. This time a login window should appear asking you to enter the correct login details.
Now enter the previously specified user name and password.
If you have entered the correct login details, you should be redirected to the homepage of your FHEM instance. Your configuration interface is now access protected via user name and password.

Encrypt the connection with an SSL certificate

Now that you have secured access to your FHEM interface, the next security precaution is to ensure that your communication with it cannot be intercepted or manipulated. For this purpose, SSL encryption of the communication data is now set up. To do this, an SSL certificate must first be created and then connected to FHEM.

To create the SSL certificate, you must first install two packages. To do this, execute the following command.
sudo apt-get install libio-socket-ssl-perl && sudo apt-get install libwww-perl
Während der Installation der Pakete werdet Ihr eventuell gefragt ob Ihr damit einverstanden seid, dass durch die Installation zusätzlicher Arbeitsspeicher belegt wird. Bestätigt dies mit einem „J“ und „Enter“.
After installing the packages, use the following command to go to the folder of your FHEM installation.
cd /opt/fhem
Dort wird mit folgendem Befehl der Ordner „certs“ erstellt, in welchem dann die Zertifikate erstellt/gespeichert werden.
sudo mkdir certs
Wechselt nun in den soeben erstellten Ordner „certs“.
cd /opt/fhem/certs
To create the SSL certificate, you must execute the following command.
sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem
While the certificate is being created, you will be asked for details for this certificate. First you should enter the country code here, for example. These entries do not have to be true. So you can provide the correct information or...
...use three hyphens or other characters as placeholders as shown.
Using the following command, the certificate and...
sudo chmod 644 /opt/fhem/certs/*.pem
... the certificate folder still has the correct file permissions.
sudo chmod 711 /opt/fhem/certs
In the last two steps you now have to activate HTTPS for the WEB module...
attr WEB HTTPS
...and restart FHEM for the changes to take effect.
shutdown restart

Once you have restarted your FHEM server, you can access it almost as usual. The difference is that you now have to prefix the address to your FHEM server with HTTPS.

Da Ihr dabei ein selbstsigniertes Zertifikat nutzt, werdet Ihr von fast allen Browser nun gewarnt und darauf hingewiesen. Im „normalen“ Internet könnte dies nämlich ein Hinweis auf ein Datenleck sein. In diesem Fall müsst Ihr euch darüber aber keine Sorgen machen. Die Warnung könnt Ihr also umgehen. Klickt dazu auf „Erweitert“…
…klickt dann auf „Weiter zu ….(unsicher)“ um die Warnung zu umgehen und auf Euren FHEM-Server zu zugreifen.
If you have activated the user login, you will now be asked for your login details.
Without a user login or if you enter your login details correctly, you will then land on your FHEM homepage as usual.

Set automatic backup before every update

You are now largely well protected against the dangers posed by evil people and machines. Another useful setting is the automatic backups before every update of the FHEM environment. This means you are protected even in the event of an incorrect update and do not have to manually restore the entire configuration.

To do this, enter the following commands in the command line of your FHEM instance.
attr global updateInBackground 1
attr global backup_before_update 1

Secure Telnet access

FHEM offers, among other things, the ability to execute commands via Telnet connection. This is not installed/activated by default. However, if you use this, it is important that you protect access with a password. This can be done with the following command. Of course you still have to do that part great password durch das von Euch gewählte Passwort ersetzen. Ggf. müsst Ihr hier auch den Teil „telnetPort“ anpassen. Dies ist der Name Eures konfigurierten Telnet-Moduls und sollte mit dem von Euch genutzten Namen übereinstimmen.

attr telnetPort password great password


FHEM fuse

You are now largely well protected against the dangers posed by evil people and machines. But now you have to arm yourself against the biggest enemy: your own dullness. Especially when you're trying things out and trying things out, it can quickly happen that you misconfigure the system that was previously working well. However, if the system no longer starts, it can be quickly restored if the worst comes to the worst. Provided you have a current backup, ideally on an external storage medium. So you can restore the last working version without any problems.

define regularBackup at *03:00:00 backup

With this setting, a backup is created every day at 3:00 a.m. and stored in the /opt/fhem/backup folder. The files stored here should of course also be synchronized with another drive. This is the only way to protect them in the event of an error with the drive or SD card.


Further information

https://de.wikipedia.org/wiki/Base64

https://wiki.fhem.de/wiki/Telnet


Have fun with the project

I hope everything worked as described for you. If not or you have questions or suggestions please let me know in the comments. I will then add this to the article if necessary.
Ideas for new projects are always welcome. 🙂

PS Many of these projects - especially the hardware projects - cost a lot of time and money. Of course I do this because I enjoy it, but if you think it's cool that I share the information with you, I would be happy about a small donation to the coffee fund. 🙂

Buy Me a Coffee at ko-fi.com       

One comment

Kommentar hinterlassen

Your email address will not be published. Erforderliche Felder sind mit * markiert

This site uses Akismet to reduce spam. Learn how your comment data is processed.