Since I wasn’t happy with the ddos/login protection given by pimatic itself, I added some “fake” security to it using fail2ban. I am calling this fake security, since you don’t prevent attacks, you just deal with it by banning the attacker for a given time.
I am assuming you have fail2ban ready and setup. Since pimatic isn’t logging failed logins we need another service to log those failed logins. apache2 is our friend! I am using different subdomains on my local server, one for pimatic (eg. smarthome.mydomain.com) and others (cloud.mydomain.com) and have a error/access logfile for each of them.
My pimatic vhost looks like this:
#### Smart Home (smarthome.mydomain.com) #####
<VirtualHost *:443>
ServerName smarthome.mydomain.com
####Configuration for SSL #####
Header always add Strict-Transport-Security "max-age=15768000"
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:HIGH:MEDIUM:!RC4:!3DES:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
# Let's encrypt ssl files
SSLCertificateFile /etc/letsencrypt/live/mydomain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mydomain/chain.pem
ProxyVia On
ProxyRequests off
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
LogLevel warn
ErrorLog /var/log/apache2/smarthome.mydomain.com-error.log
CustomLog /var/log/apache2/smarthome.mydomain.com-access.log common
</VirtualHost>
As you can see pimatic is running on port 8080 and all connections coming to smarthome.mydomain.com are getting redirected to pimatic.
For fail2ban we’ll need a custom filter
and jail
:
pimatic.conf in /etc/fail2ban/filter.d/
# Fail2Ban pimatic filter
#log entry looks like this:
# 233.122.126.115 - - [20/Jan/2017:11:32:00 +0100] "POST /login HTTP/1.1" 401 621
[INCLUDES]
[Definition]
failregex = <HOST> - - .* .*(POST|GET) .*(\/login|/api/.*) HTTP.* 401 .*$
ignoreregex =
This will catch failed logins (http error 401) for the webinterface & api requests.
custom jail
[pimatic]
enabled = true
port = https
filter = pimatic
logpath = /var/log/apache2/smarthome.mydomain-access.log
maxretry = 3
bantime = 1800
reload fail2ban & check if it’s working:
$ fail2ban-regex --print-all-matched /var/log/apache2/smarthome.mydomain.log /etc/fail2ban/filter.d/pimatic.conf
Running tests
=============
Use failregex filter file : pimatic, basedir: /etc/fail2ban
Use log file : /var/log/apache2/smarthome.mydomain-access.log
Use encoding : UTF-8
Results
=======
[...]
Lines: 202 lines, 0 ignored, 7 matched, 195 missed [processed in 0.10 sec]
Hope this helps someone