Need Ethernet Relay Control Suggestion

[rcbuck]

I am looking for a reasonably priced Ethernet controlled relay board. I need to control 4 relays. The unit should have a decent built-in web server interface with feedback as to the current state of the relays.

I have found several on Ebay and Amazon. However, most people complain about lack of documentation and poor software. One big problem if there is documentation, it appears to only be in Chinese or very poorly translated English.

Others that I have found appear to only work with a Smart phone and a cloud server. I do not own a Smart phone and never intend to own one. I need to control the relays with a web browser directly. The other absolute requirement is that a username/password will be required to access the web page. Most of the units I have found have no security. I intend to port forward through my router for control outside of my network.

Has anyone purchased a unit that they can recommend? I would only like suggestions from actual purchasers/users, no "this one looks like it would do the job" type of response. 

[rcbuck]

After more research, I found one that should work. https://acroname.com/store/r401-ds3484?sku=R401-DS3484

The relay module is apparently manufactured by a company in the UK. The website is for their US distributor. The documentation on the website looks good and the web interface is nice and simple.

[nfmax]

I have one of those I bought for £12 from a UK distributor as 'end of line' deal. I regret to say I haven't yet found time to play with it, but it looks well made, and very well documented. Devantech have been around making these kinds of boards for decades. I think they started out making little 8051 SBCs.

Anything you would like me to try out for you? It might give me an excuse to play with it!

[tablatronix]

National control devices llc has alot of flexible options, prices are $$

[rcbuck]

nfmax, Thanks for the offer to test. I downloaded the manual and read through it. This unit has lots of capabilities - far more than I need. I just needed to turn a couple of relays on and off. After reading the manual and how to set it up, I feel comfortable with ordering one. I will do that on Tuesday (Monday is holiday in US).

From reading the setup instructions and other things in the manual, I'm fairly sure the board is using some type of Microchip processor, probably a PIC32. Maybe I'll be able to tell when I receive the board.

[nfmax]

Yes - it's a PIC 32MX79F512L

[gnif]

I intend to port forward through my router for control outside of my network.

  You're just asking for trouble by doing this. Normally if you need to expose something like this you should put it behind a reverse proxy that performs the authentication/filtering/security, etc. Remember that any device that the world can connect to is potentially a way into the rest of your network, and I can't imagine these cheap Chinese devices being very secure (ie, buffer overflow on the username/password or HTTP headers).

As far as devices go, I have been programming up a project that uses the ESP8266 for some basic stuff on my network and just finished writing a complete RFC compliant HTTP server for it that fits in just over 1K of RAM. It wouldn't take much more effort to add authentication and make it control a bank of relays. Even still I would not connect it to the internet directly, its just plain dangerous.

Edit: The proxy could be something like a RPi running Raspian + Nginx, and then you could also put SSL on it and make the comms encrypted. Nginx could also handle the authentication, then it wouldn't matter what device you use provided you trust your local network.

[Red Squirrel]

Not sure about cheapest, but most versatile and commonly available would be a Raspberry PI.

Also don't port forward stuff like that directly.  Rather, setup a VPN server and VPN to the server to then connect to it that way.  Or a simpler solution is to use SSH and use a SSH tunnel.   Make sure you enable something like fail2ban for brute force protection.  I also like running SSH on a non default port as it keeps the log files clean of bots. And adds a (tiny) layer of security through obscurity. You don't want to rely on security through obscurity, but it does help to act as a "pre filter" so to speak.  Ex: a random hacker probably won't even find you as he's just looking for low hanging fruit by scanning specific ports and will go after that first.

[gnif]

Not sure about cheapest, but most versatile and commonly available would be a Raspberry PI.

Also don't port forward stuff like that directly.  Rather, setup a VPN server and VPN to the server to then connect to it that way.  Or a simpler solution is to use SSH and use a SSH tunnel.   Make sure you enable something like fail2ban for brute force protection.  I also like running SSH on a non default port as it keeps the log files clean of bots. And adds a (tiny) layer of security through obscurity. You don't want to rely on security through obscurity, but it does help to act as a "pre filter" so to speak.  Ex: a random hacker probably won't even find you as he's just looking for low hanging fruit by scanning specific ports and will go after that first.

HTTP auth over SSL (HTTPS) using Apache or Nginx is just as secure as SSH (actually likely more secure as it verifies the certificates instead of just a fingerprint) and simpler to access as he wont need to mess with setting up tunnels. If scanning is an issue, do the same thing, run the HTTP server on a non standard port.

If you do use SSH, don't bother with passwords, setup your key and disable password authentication, then you don't need to mess with things like fail2ban as brute forcing becomes impossible anyway.

[ebclr]

One possible option is this little board from olimex

http://www.olimex.com/Products/IoT/ESP32-EVB/open-source-hardware

[Kjelt]

Or a simpler solution is to use SSH and use a SSH tunnel.   
Make sure you enable something like fail2ban for brute force protection.  I also like running SSH on a non default port as it keeps the log files clean of bots. And adds a (tiny) layer of security through obscurity

Never leave an ssh port open 24/7 even on other ports it is trivial.
If you like this kind of hiding you are better of using port knocking, or better an own out band controlled signal like email, gsm, phone. Of ourse with a time out closing the port afterwards.
https://en.m.wikipedia.org/wiki/Port_knocking

[Monkeh]

Or just secure things correctly and leave the port open.

[gnif]

Or a simpler solution is to use SSH and use a SSH tunnel.   
Make sure you enable something like fail2ban for brute force protection.  I also like running SSH on a non default port as it keeps the log files clean of bots. And adds a (tiny) layer of security through obscurity

Never leave an ssh port open 24/7 even on other ports it is trivial.
If you like this kind of hiding you are better of using port knocking, or better an own out band controlled signal like email, gsm, phone. Of ourse with a time out closing the port afterwards.
https://en.m.wikipedia.org/wiki/Port_knocking

If you're that paranoid or your security is that critical then you should be using google authentication aswell for one time passwords. Port knocking is useless these days, just setup your public key on the server and disable password authentication, or put it on a VPN as Red Squirrel suggested, or both. And FYI just using ssh keys is better security then some of the financial institutions I have contracted for in the past where security should be paramount (which I fixed btw).

[voltsandjolts]

An embedded device running, say, FreeRTOS+LWIP has a lower chance of being exploited on the open internet than the reverse proxy devices that people are suggesting are used to protect/firewall it. I mean, it's a custom device requiring target specific exploits to be discovered (what nerd would spend time on that?), no command shell, no scripting, binary executable in FLASH (disable RAM execution) and with infinitely simpler code (compared to full OS of some kind) which in itself reduces probablity of exploits.

....and you better keep that proxy OS updated or some port scanner will find it and use a yet-to-be-discovered expolit (shellshock, heartbleed part deux).

That said, I wouldn't use the relays to control something valuable.

IMHO

[tablatronix]

If this is mission critical do not forget the chance of DOS attacks also.

[Zero999]

Security is a valid concern but it might not be a problem. For example if all they want to do is switch some lights on and off, I doubt they'll be that bothered if someone hacks it.

[ebclr]

By the concerns, I guess is a nuclear missile launch trigger system

[cdev]

The security concern is that somebody could hack your Linux SBC and then use it as part of a botnet..



But- to answer - use an SBC (like the  RaspberryPi) and a USB connected arduino -  If you don't want to do any real arduino programming you can use the Firmata library.

https://github.com/firmata/arduino

You could actually use any computer that runs any modern OS that supports firmata..You dont have to use that but it is made for toggling or adjusting the state - or reading digital or analog pins on an arduino board.. and it is called from other applications. You typically need to either use a very low current relay or use a transistor to drive a relay.

http://forum.arduino.cc/index.php?board=12.0

To speak between your web server and firmata you will use whatever web CGI/middleware you prefer . For example, you could use zope to create a pretty user interface using something like:

https://pypi.python.org/pypi/pyFirmata

Thats the benefit of free software. This combination is extremely powerful. You can do almost anything as far as controlling external hardware. Once you figure out what you want to do,  the total cost could be very very little.

You could throw in a relational database to save the state and changes in a log..

[SeanB]

By the concerns, I guess is a nuclear missile launch trigger system

No, that still has a set of meat bags in the loop, and has authentication, using a code of the day to enable the opening of a one time pad, which is then used to decode a message that provides the code required to enable the buttons only. You still need 2 people in the room, far enough away so that you need two, to turn the switches ( key switches, yet another layer of physical token) near simultaneously to enable the system for launch. After that is is pure Dr Strangelove.

[cdev]

Must see

 


Turns out the people who were making Dr. Strangelove guessed the nuclear attack control systems so well that there was concern that they had been given secrets they should not have.

Quote from: ebclr on Today at 10:50:03

By the concerns, I guess is a nuclear missile launch trigger system

No, that still has a set of meat bags in the loop, and has authentication, using a code of the day to enable the opening of a one time pad, which is then used to decode a message that provides the code required to enable the buttons only. You still need 2 people in the room, far enough away so that you need two, to turn the switches ( key switches, yet another layer of physical token) near simultaneously to enable the system for launch. After that is is pure Dr Strangelove.

[yada]

After more research, I found one that should work. https://acroname.com/store/r401-ds3484?sku=R401-DS3484

The relay module is apparently manufactured by a company in the UK. The website is for their US distributor. The documentation on the website looks good and the web interface is nice and simple.

66.49? Is that UK pounds? Well I guess thanks to Brexit that's not too expensive.

What are you using this for home automation?

[rcbuck]

You're just asking for trouble by doing this

I am not using a standard router for my network. I have a Linux box with 2 Ethernet interfaces running IP tables for security. I use the hosts.allow and hosts.deny to control who is allowed to access my network from the outside world. The module I referred to allows a password length of up to 200 characters. If I set a password length of 30 characters with a comination of numbers, special characters, upper case, and lower case it will be secure.

And adds a (tiny) layer of security

I worked as a Unix admin for 10 years until I retired. You are correct about changing the SSH port to a different number. That will slow the robot port scanners down by about 30 seconds.

Or a simpler solution is to use SSH and use a SSH tunnel.

The unit allows text control strings so SSH with keys would be a viable option for someone who does not have much control over traffic coming in from the outside world. The unit also allows AES commands which is more secure if someone wanted to use SSH.

What are you using this for home automation?

I am going to be away from home for a couple of months. I have an electronic water shutoff valve that keeps the water supply to the house turned off. If a pipe were to break it could cause serious damage to the house. I will log into the relay control box a few days days per week at a specific time of day and turn the water on.  My sprinkler control system will then have water available to water the plants and lawn. The 66.49 price is USD from their US distributor.