EEVblog Electronics Community Forum
Products => Computers => Networking & Wireless => Topic started by: Muffins on April 13, 2020, 01:00:20 pm
-
I'm looking into home automation.
One of the aspects I'm investigating is controlling devices with a raspberry pi or similar SBC hosting a local webserver. Then viewing the webpages from another device on the network to provide inputs.
How do I make sure this is local only? So only devices on the network can access the server.
What if this is the same network where devices connect to the internet? Would the device such as a smartphone be able to access the internet and the local website?
-
Sure, happens all the time. Usually what happens is that your home router serves a private network within one of 3 designated ranges (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). Addresses in these ranges are guaranteed never to appear on the Internet. So there will be no clash between your local webserver and external webservers. And the router will not allow external hosts to access your LAN, except for services you might create pinhole mappings for (most people don't, because unless done correctly, it's a hazard). Unless your router (or another host on the LAN) provides name services, you'll have to address your device by IP address.
-
Sure, happens all the time. Usually what happens is that your home router serves a private network within one of 3 designated ranges (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). Addresses in these ranges are guaranteed never to appear on the Internet.
Wishful thinking! To be sure you need to add anti-spoof filter rules to the router's firewall.
-
To allow only clients of a specific network (e.g. 192.168.0.0/24) to access an apache webserver add following to the configuration:
Require ip 192.168.0.0/24
-
Wishful thinking! To be sure you need to add anti-spoof filter rules to the router's firewall.
IP filter rulesets should not forward local addresses coming from external interfaces. If you are paranoid then run your own firewall.
-
To allow only clients of a specific network (e.g. 192.168.0.0/24) to access an apache webserver add following to the configuration:
Require ip 192.168.0.0/24
Configure and activate the iptables rules as well, if the RPi runs Linux, since you're that worried.
-
Wishful thinking! To be sure you need to add anti-spoof filter rules to the router's firewall.
IP filter rulesets should not forward local addresses coming from external interfaces. If you are paranoid then run your own firewall.
The problem is that we can't rely on "should not" and that every vendor does the right thing. It needs to be verified. The cheap plastic boxes, also called SOHO routers, often come with nasty surprises unfortunately.
-
Don't forget that your Internet provider will not route private addresses to your external IP address. For example if you're at the end of an ADSL line the other end will be a DSLAM then an industrial router.
-
What about DS light? And some providers set up a second channel for remote management (mostly for business customers) using RFC1918 address space.
-
Well then it depends on how much you trust your remote manager not to try to hack your gateway.
Another barrier is that gateways are set up to NAT which means that both forwarding and NAT are in place for outgoing connections so if a packet with a private IP manages to arrive at the external interface, it would have to be both forwarded as well as being part of a NAT association. That has to be explicitly set up in the gateway as a pinhole.
All in all the multiple barriers make this avenue of hacking pretty slim. You're more like to be hacked by phishing emails, or rogue apps.
-
Sure, happens all the time. Usually what happens is that your home router serves a private network within one of 3 designated ranges (10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16). Addresses in these ranges are guaranteed never to appear on the Internet. So there will be no clash between your local webserver and external webservers. And the router will not allow external hosts to access your LAN, except for services you might create pinhole mappings for (most people don't, because unless done correctly, it's a hazard). Unless your router (or another host on the LAN) provides name services, you'll have to address your device by IP address.
Okay so when I address the device by it's IP address ( if I'm understanding correctly the device is what is hosting the webserver), is that done through the browser on another device on the local network?
Secondly, if I wanted to access it remotely could I use a VPN to access the local network and connect as above?
Sorry, I'm ignorant in this field and it's a lot to take in.
-
Unfortunately, you may need to ensure that your web app has CSRF protection.
https://en.wikipedia.org/wiki/Cross-site_request_forgery
While an attacker cannot route packets into a private network (regardless of your router settings; ISPs simply cannot route private IPs, because they have no idea where to send them, everyone uses them, so they just need to drop those packets), they can potentially cause your own machine(s) to send requests to your own equipment.
Some web services have been attacked this way, especially "localhost" / 127.0.0.1 servers which the developers naively assumed could only be attacked by a user of the local machine.
If you have a device which has a possibly-predictable ip address, web request parameters etc, then someone can write a Javascript which does "blind" attacks against it, sending commands that they can't receive a response to (at least, not directly) but still have an effect.
The usual solution is to ensure that all your web forms require a http post with an unguessable random "csrf token" field supplied, which is available in the web forms. An attacker can't read the contents of the form so won't be able to get the token.
-
If you want secure access to a web server, and still have access over the internet from any of your devices. I think the easiest method is to use tailscale. https://tailscale.com/ (https://tailscale.com/)
The only drawback is the Android client is still in development, though beta testing is expected soon.
Installing on a raspberry pi: https://tailscale.com/kb/1025/install-rpi (https://tailscale.com/kb/1025/install-rpi)
Once get the ip address tailscale has assigned (will be 100.x.y.z), set the web server to listen on that ip. And then from another device you have installed tailscale client on, browse to http://100.x.y.z/ (http://100.x.y.z/)
-
If the OP wants local access to the server and not access from Internet, it only needs to configure apache on it. Maybe open ports 80/443 on the server, if there's any firewall running.
The server will be no different of any other device (computers, cell phones, tablets, etc.) connected to the network. No need to worry more with it than with the other devices.
But to allow access the server from the Internet, it is better to know exactly what you are doing. One safe approach is using a VPN.