Suggestion to limit connections to wifi attachment
Suggestion to limit connections to wifi attachment
I occasionally see my RA getting hammered on WiFi with lots of activity (yellow light flashing madly while the green blinks slowly). I assume this is a scanner on the internet looking for victims and able to scan my RA on port 2000 because I've forwarded that port in through my firewall.
Any suggestions on how to limit the connections in?
I have run DD-WRT on my Netgear R7000 router, but am running stock Netgear firmware at the moment. I assume I could only allow incoming forwarding from reefangel.com to allow the portal to control and query. I also use Reeftronics and aquaticlog which log things, so I'd have to allow those in as well, but I could do that. Then I'd be looking at Curt's app, which I think I can ask to just use the portal instead of my RA directly, so that might be covered under rules allowing the portal in.
Think that would work?
Any suggestions on how to limit the connections in?
I have run DD-WRT on my Netgear R7000 router, but am running stock Netgear firmware at the moment. I assume I could only allow incoming forwarding from reefangel.com to allow the portal to control and query. I also use Reeftronics and aquaticlog which log things, so I'd have to allow those in as well, but I could do that. Then I'd be looking at Curt's app, which I think I can ask to just use the portal instead of my RA directly, so that might be covered under rules allowing the portal in.
Think that would work?
Re: Suggestion to limit connections to wifi attachment
you could also change the port to a "non-standard" port. so just randomly pick a port number between 2000 and 65535 and don't tell anybody. the higher up port numbers are typically involved with outgoing ports when you are surfing the web, etc.
you are correct, my app will work with the portal. you just will not get the ability to change anything, ie, it becomes a "monitor only" mode.
you are correct, my app will work with the portal. you just will not get the ability to change anything, ie, it becomes a "monitor only" mode.
Re: Suggestion to limit connections to wifi attachment
I think the best thing you could do is just enable the http authentication and more importantly a portal key. I think with those 2 things no hacker / script kiddie is going to spend time dealing with the RA web server. They are looking for well known application responses (like the BASH vulnerability, etc) and aren't going to try and break authentication on an unknown appliance web server. With the portal key there is not much they'd be able to do anyway and would essentially be read-only. You would probably have better luck with some type of software firewall that could filter out known types of probe traffic while still allowing the straight port 2000 to work.
Re: Suggestion to limit connections to wifi attachment
Lee, I assume you have http authentication enabled. I have it enabled and also use reeftronics. Frequently I will get a "reeftronics couldn't connect" message even when the portal is able to connect. When I check it out to test it I end up with a 401 couldn't authenticate error. Which it shouldn't do because reeftronics and aquaticlog both use the /sa path which is supposed to be available with no authentication.
Do you use reeftronics or aquatic log and sometimes see this 401 auth error? I'm going through the code for authentication and can't find anything specific.
Do you use reeftronics or aquatic log and sometimes see this 401 auth error? I'm going through the code for authentication and can't find anything specific.
Re: Suggestion to limit connections to wifi attachment
I do not use any authentication =/ I know I know... so I don't get those errors. I do occasionally get a bunch of 0 errors for ph, temp, and water level and reeftronics shows some data that might correlate with that. I think it's just the WiFi and RA being a bit slow at times. I always have problems if I try to do things too fast on the RA.
Re: Suggestion to limit connections to wifi attachment
So how does the portal key work? Will Reeftronics/Aquaticlog still work? Does it limit people from being able to connect to my RA at port 2000 and changing stuff? Does the android app work with it?
Re: Suggestion to limit connections to wifi attachment
portal will only accept data if the key matches.
Roberto.
Re: Suggestion to limit connections to wifi attachment
good for you. I don't either. although, i do run on a non standard port and i do not have my ip or domain published. =)lnevo wrote:I do not use any authentication =/ I know I know... so I don't get those errors.
Sent from my iPad mini
Re: Suggestion to limit connections to wifi attachment
it should not matter with the android app since the app just pulls data from the controller or portal. like roberto said, the portal just will not accept data if the mey does not match.AlanM wrote:So how does the portal key work? Will Reeftronics/Aquaticlog still work? Does it limit people from being able to connect to my RA at port 2000 and changing stuff? Does the android app work with it?
Sent from my iPad mini
Re: Suggestion to limit connections to wifi attachment
OK. So it just prevents someone from loading their own reefangel data into my portal settings and booting mine out, but doesn't prevent them from connecting to my reefangel IP address and changing things?rimai wrote:portal will only accept data if the key matches.
Re: Suggestion to limit connections to wifi attachment
I thought it was required to read and write to the RA as well. Is that not the case?
Re: Suggestion to limit connections to wifi attachment
i thought everything was like this:lnevo wrote:I thought it was required to read and write to the RA as well. Is that not the case?
- wifi authentication limits read and write access to the RA (except the /sa which always is a read only, but this needs to be confirmed). so you create a username & password combination to access the RA.
- portal key limits the sending of data to the portal from the RA with the matching key
Re: Suggestion to limit connections to wifi attachment
There is an open issue pending testing and approval.
Branch issue71: https://github.com/reefangel/Libraries/issues/71
There is a mention about this branch in here:
http://forum.reefangel.com/viewtopic.php?p=22824#p22824
If anyone wants to test it, we can merge to dev and include to next release.
It will require some changes in the apps and in the portal code.
I'll also have to revisit this to refresh my memory.
Branch issue71: https://github.com/reefangel/Libraries/issues/71
There is a mention about this branch in here:
http://forum.reefangel.com/viewtopic.php?p=22824#p22824
If anyone wants to test it, we can merge to dev and include to next release.
It will require some changes in the apps and in the portal code.
I'll also have to revisit this to refresh my memory.
Roberto.
Re: Suggestion to limit connections to wifi attachment
OK. the /sa location is supposed to let people in without authentication, from what I understood, but I just had to disable authentication in order for reeftronics to be able to reliably connect. I never had a problem with the app because it actually does the authentication
Russ uses the /sa to get his data, but he very frequently gets a 401 access denied message with that URL even though it's not supposed to have auth on it.
I opened up an issue on this and one other here:
https://github.com/reefangel/Libraries/issues/217
where sometimes Russ gets a response beck to his /sa query which looks like traffic which is supposed to go to the portal.
In the meantime, how do I switch the port that the RA runs on since I have auth currently disabled? I assume I'll need to do it in the .ino file because the RA needs to tell the portal what port to use.
Russ uses the /sa to get his data, but he very frequently gets a 401 access denied message with that URL even though it's not supposed to have auth on it.
I opened up an issue on this and one other here:
https://github.com/reefangel/Libraries/issues/217
where sometimes Russ gets a response beck to his /sa query which looks like traffic which is supposed to go to the portal.
In the meantime, how do I switch the port that the RA runs on since I have auth currently disabled? I assume I'll need to do it in the .ino file because the RA needs to tell the portal what port to use.
Re: Suggestion to limit connections to wifi attachment
This is handled at your firewall/router. You need to tell the firewall to forward port 12345 to port 2000 on the RA. Or whatever port you want to use instead of 2000. You can use any port from 1024 through 65535. Whatever port you pick, I would keep it private though, so nobody else knows. Typically the higher port numbers are used by outgoing connections (like your web browser traffic when you browse the web) and the low number ports (below 1024) are used for servers for common, well known protocols.AlanM wrote:In the meantime, how do I switch the port that the RA runs on since I have auth currently disabled? I assume I'll need to do it in the .ino file because the RA needs to tell the portal what port to use.
Then, you must update the following:
- Portal to use the new port
- Apps to use the new port
- whatever else to use the new port
This is exactly how I do it and it is pretty simple. My router allows me to change the ports around like that and I'm assuming others do too.
Re: Suggestion to limit connections to wifi attachment
Great. Easy enough to do. Thanks. I'll update the port with Russ and AquaticLog too.binder wrote: This is handled at your firewall/router. You need to tell the firewall to forward port 12345 to port 2000 on the RA. Or whatever port you want to use instead of 2000.
Re: Suggestion to limit connections to wifi attachment
If you did want to change the port the RA listens to it's a setting in the wifi module.