Suggestion to limit connections to wifi attachment

Expansion modules and attachments
Post Reply
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Suggestion to limit connections to wifi attachment

Post by AlanM »

I occasionally see my RA getting hammered on WiFi with lots of activity (yellow light flashing madly while the green blinks slowly). I assume this is a scanner on the internet looking for victims and able to scan my RA on port 2000 because I've forwarded that port in through my firewall.

Any suggestions on how to limit the connections in?

I have run DD-WRT on my Netgear R7000 router, but am running stock Netgear firmware at the moment. I assume I could only allow incoming forwarding from reefangel.com to allow the portal to control and query. I also use Reeftronics and aquaticlog which log things, so I'd have to allow those in as well, but I could do that. Then I'd be looking at Curt's app, which I think I can ask to just use the portal instead of my RA directly, so that might be covered under rules allowing the portal in.

Think that would work?
binder
Posts: 2871
Joined: Fri Mar 18, 2011 6:20 pm
Location: Illinois
Contact:

Re: Suggestion to limit connections to wifi attachment

Post by binder »

you could also change the port to a "non-standard" port. so just randomly pick a port number between 2000 and 65535 and don't tell anybody. the higher up port numbers are typically involved with outgoing ports when you are surfing the web, etc.

you are correct, my app will work with the portal. you just will not get the ability to change anything, ie, it becomes a "monitor only" mode.
User avatar
lnevo
Posts: 5430
Joined: Fri Jul 20, 2012 9:42 am

Re: Suggestion to limit connections to wifi attachment

Post by lnevo »

I think the best thing you could do is just enable the http authentication and more importantly a portal key. I think with those 2 things no hacker / script kiddie is going to spend time dealing with the RA web server. They are looking for well known application responses (like the BASH vulnerability, etc) and aren't going to try and break authentication on an unknown appliance web server. With the portal key there is not much they'd be able to do anyway and would essentially be read-only. You would probably have better luck with some type of software firewall that could filter out known types of probe traffic while still allowing the straight port 2000 to work.
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Re: Suggestion to limit connections to wifi attachment

Post by AlanM »

Lee, I assume you have http authentication enabled. I have it enabled and also use reeftronics. Frequently I will get a "reeftronics couldn't connect" message even when the portal is able to connect. When I check it out to test it I end up with a 401 couldn't authenticate error. Which it shouldn't do because reeftronics and aquaticlog both use the /sa path which is supposed to be available with no authentication.

Do you use reeftronics or aquatic log and sometimes see this 401 auth error? I'm going through the code for authentication and can't find anything specific.
User avatar
lnevo
Posts: 5430
Joined: Fri Jul 20, 2012 9:42 am

Re: Suggestion to limit connections to wifi attachment

Post by lnevo »

I do not use any authentication =/ I know I know... so I don't get those errors. I do occasionally get a bunch of 0 errors for ph, temp, and water level and reeftronics shows some data that might correlate with that. I think it's just the WiFi and RA being a bit slow at times. I always have problems if I try to do things too fast on the RA.
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Re: Suggestion to limit connections to wifi attachment

Post by AlanM »

So how does the portal key work? Will Reeftronics/Aquaticlog still work? Does it limit people from being able to connect to my RA at port 2000 and changing stuff? Does the android app work with it?
rimai
Posts: 12881
Joined: Fri Mar 18, 2011 6:47 pm

Re: Suggestion to limit connections to wifi attachment

Post by rimai »

portal will only accept data if the key matches.
Roberto.
binder
Posts: 2871
Joined: Fri Mar 18, 2011 6:20 pm
Location: Illinois
Contact:

Re: Suggestion to limit connections to wifi attachment

Post by binder »

lnevo wrote:I do not use any authentication =/ I know I know... so I don't get those errors.
good for you. I don't either. although, i do run on a non standard port and i do not have my ip or domain published. =)


Sent from my iPad mini
binder
Posts: 2871
Joined: Fri Mar 18, 2011 6:20 pm
Location: Illinois
Contact:

Re: Suggestion to limit connections to wifi attachment

Post by binder »

AlanM wrote:So how does the portal key work? Will Reeftronics/Aquaticlog still work? Does it limit people from being able to connect to my RA at port 2000 and changing stuff? Does the android app work with it?
it should not matter with the android app since the app just pulls data from the controller or portal. like roberto said, the portal just will not accept data if the mey does not match.


Sent from my iPad mini
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Re: Suggestion to limit connections to wifi attachment

Post by AlanM »

rimai wrote:portal will only accept data if the key matches.
OK. So it just prevents someone from loading their own reefangel data into my portal settings and booting mine out, but doesn't prevent them from connecting to my reefangel IP address and changing things?
User avatar
lnevo
Posts: 5430
Joined: Fri Jul 20, 2012 9:42 am

Re: Suggestion to limit connections to wifi attachment

Post by lnevo »

I thought it was required to read and write to the RA as well. Is that not the case?
binder
Posts: 2871
Joined: Fri Mar 18, 2011 6:20 pm
Location: Illinois
Contact:

Re: Suggestion to limit connections to wifi attachment

Post by binder »

lnevo wrote:I thought it was required to read and write to the RA as well. Is that not the case?
i thought everything was like this:
  • wifi authentication limits read and write access to the RA (except the /sa which always is a read only, but this needs to be confirmed). so you create a username & password combination to access the RA.
  • portal key limits the sending of data to the portal from the RA with the matching key
If my understanding is wrong, then I need to be corrected, but this is how I thought everything worked.
rimai
Posts: 12881
Joined: Fri Mar 18, 2011 6:47 pm

Re: Suggestion to limit connections to wifi attachment

Post by rimai »

There is an open issue pending testing and approval.
Branch issue71: https://github.com/reefangel/Libraries/issues/71
There is a mention about this branch in here:
http://forum.reefangel.com/viewtopic.php?p=22824#p22824
If anyone wants to test it, we can merge to dev and include to next release.
It will require some changes in the apps and in the portal code.
I'll also have to revisit this to refresh my memory.
Roberto.
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Re: Suggestion to limit connections to wifi attachment

Post by AlanM »

OK. the /sa location is supposed to let people in without authentication, from what I understood, but I just had to disable authentication in order for reeftronics to be able to reliably connect. I never had a problem with the app because it actually does the authentication

Russ uses the /sa to get his data, but he very frequently gets a 401 access denied message with that URL even though it's not supposed to have auth on it.

I opened up an issue on this and one other here:

https://github.com/reefangel/Libraries/issues/217

where sometimes Russ gets a response beck to his /sa query which looks like traffic which is supposed to go to the portal.

In the meantime, how do I switch the port that the RA runs on since I have auth currently disabled? I assume I'll need to do it in the .ino file because the RA needs to tell the portal what port to use.
binder
Posts: 2871
Joined: Fri Mar 18, 2011 6:20 pm
Location: Illinois
Contact:

Re: Suggestion to limit connections to wifi attachment

Post by binder »

AlanM wrote:In the meantime, how do I switch the port that the RA runs on since I have auth currently disabled? I assume I'll need to do it in the .ino file because the RA needs to tell the portal what port to use.
This is handled at your firewall/router. You need to tell the firewall to forward port 12345 to port 2000 on the RA. Or whatever port you want to use instead of 2000. You can use any port from 1024 through 65535. Whatever port you pick, I would keep it private though, so nobody else knows. Typically the higher port numbers are used by outgoing connections (like your web browser traffic when you browse the web) and the low number ports (below 1024) are used for servers for common, well known protocols.
Then, you must update the following:
  • Portal to use the new port
  • Apps to use the new port
  • whatever else to use the new port
Now, any data coming into your network on the new port will be sent to your RA and port 2000 will be closed on your firewall. Your RA wifi will still think it is operating on port 2000. The firewall handles all the requests and the "magic" of directing the ports appropriately.

This is exactly how I do it and it is pretty simple. My router allows me to change the ports around like that and I'm assuming others do too.
AlanM
Posts: 263
Joined: Wed Jan 01, 2014 7:26 am

Re: Suggestion to limit connections to wifi attachment

Post by AlanM »

binder wrote: This is handled at your firewall/router. You need to tell the firewall to forward port 12345 to port 2000 on the RA. Or whatever port you want to use instead of 2000.
Great. Easy enough to do. Thanks. I'll update the port with Russ and AquaticLog too.
User avatar
lnevo
Posts: 5430
Joined: Fri Jul 20, 2012 9:42 am

Re: Suggestion to limit connections to wifi attachment

Post by lnevo »

If you did want to change the port the RA listens to it's a setting in the wifi module.
Post Reply