Skip to content
Lieven Hollevoet edited this page Sep 22, 2014 · 1 revision

Table of Contents

Securing Misterhouse Web Access with Apache2 Mod_Proxy

The security inside Misterhouse has not been, nor is it likely that it will ever be, thorough tested and secured. As a result, if you plan on allowing access to the Misterhouse web panel over the internet, you should take some precautions to ensure the security of your house and network.

The following is a short writeup of what I did. I use this type of setup for a lot of web enabled devices in my house.

Summary

In this setup, Misterhouse is not directly connected to the internet. Instead, a web server inside my network acts as a proxy for all requests made to Misterhouse. I then setup location based authentication within my server. Finally, I use a monitoring program to look for failed login attempts and ban IP addresses with repeated failures.

Additionally, as Michael pointed out on the mailing list, if you intend on logging into Misterhouse on any public network, you will need to enable SSL.

What you need

- Linux, I used Ubuntu but have done the same on Debian in the past. This may be adaptable to other OSs. - A firewall of some sort, a NAT router will suffice - Apache2 - Mod_Proxy - http://httpd.apache.org/docs/2.2/mod/mod_proxy.html - An SSL Cert - you can get a free one here - http://cert.startcom.org - Fail2Ban - http://www.fail2ban.org/

Steps

1. Block access to the Misterhouse port on your firewall (remove the port forwarding in your NAT) 2. Forward port 80 (optionally 443 as well) to your internal webserver 3. Install Apache2 and Fail2Ban 4. Enable the Mod_Proxy, Mod_Auth, and Mod_SSL 5. Create an apache2 password file and save it somewhere protected 6. I create a new "site" for each subdomain in sites-available 7. In the *:80 virtual host, redirect all traffic to https:// 8. Make an SSL virtual host site config file 9. Within the site config file add ProxyPass and ProxyPassReverse entries 10. Within the site config add a tag to protect access to the entire subdomain 11. Setup the AuthType, AuthName, AuthUserFile and Require valid-user in the Location tag 12. Restart Apache 13. Test out your creation 14. Setup Fail2Ban 15. Enable the apache-auth jail 16. Test out logging in with bad credentials (do this from an external network like your cell phone) 17. PROFIT!

Resources

I realize this is an absurdly abbreviated set of instructions, but all of this material already exists out there and has been written by much more knowledgeable people than me.

Installing Apache on Ubuntu - http://www.maketecheasier.com/install-and-configure-apache-in-ubuntu/2011/03/09 Creating a new subdomain on Apache (you can skip the HTML pages creation)- https://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts Setting up ProxyPass - http://boriskuzmanovic.wordpress.com/2006/10/20/apaches-proxypass-on-ubuntu/ Setting up SSL on Apache with a self signed cert - https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 Setting up the Startcom SSL - https://www.startssl.com/?app=21 Setting up Authentication in Apache - http://doc.norang.ca/apache-basic-auth.html How to protect SSH with Fail2Ban - https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04 Setup Fail2Ban to Monitor Apache-Auth Failures - https://github.com/miniwark/miniwark-howtos/wiki/Fail2Ban-setup-for-Apache

Clone this wiki locally