Examples for securing/fortifying WC8 towards internet access?

D

donv

Member
Have a WC8 now set up as a "Garage Management System" and I would like to enable internet control securely. It is currently off the network. I know the board is not recommended to be directly connected to the internet, so I am curious as to how others have done this... a simple search has not turned anything up with details.
 
I do have a persistent Linux server on my home network and was thinking of setting up an internet-facing https secured login (.htaccess protected) page(s) on that which would connect across the home net to the WC8 to send/receive status commands via the documented cgi interface, with the password access on the WC8 disabled (as I understand it must be for scripted interfacing?).
 
Is this the best solution or are there other options I should consider? Any existing examples I could see or code to scrounge?
 
As this would control direct access into our home via the garage doors, I would like it to be robust. I hope to avoid doing something like VPN in order to keep it simple for my spouse, but I do have a Tomato powered router/firewall that is capable.
 
I have found the info on using stunnel for gmail hosted alerts and will set that up on the Linux box.
 
donv said:
Have a WC8 now set up as a "Garage Management System" and I would like to enable internet control securely. It is currently off the network. I know the board is not recommended to be directly connected to the internet, so I am curious as to how others have done this... a simple search has not turned anything up with details.
Click to expand...
 
I have a bunch of them on live IPs.
I've set a strong password, changed the port from the default of 80, and used the IP address filters in the network setup page to only permit access from a few trusted hosts. This may not be sufficient for your needs, but it has been for mine.
 
 
donv said:
I do have a persistent Linux server on my home network and was thinking of setting up an internet-facing https secured login (.htaccess protected) page(s) on that which would connect across the home net to the WC8 to send/receive status commands via the documented cgi interface, with the password access on the WC8 disabled (as I understand it must be for scripted interfacing?).
Click to expand...
 
Yes, that's also entirely practical.
 
If you access it from a fixed IP address, the allowed host will filter out anything else, please make sure to remove 0.0.0.0 from list when enable allowed host, 0.0.0.0 means any IP address can access. However, if you set filter totally wrong and no longer access it any more, then you have to reset the board.   Always has one for your local host IP address, so that if others are wrong, you can go to that computer to login and fix it, that will be helpful.
 
Using higher port number, change both user name and password, those are all very good suggestions.
 
Thanks for the replies! Combining the IP host filter (set to the other server address) with the https secured page will probably then be my solution.
 
CAI_Support - does the IP address filter support wildcards or whole block allowance? E.g.: setting to 192.168.1.0 or 192.168.1.* or similar to allow any machine on the local subnet?
 
192.168.1.0 will allow up to 253 host IP address to connect to it.
Allowed host restricted to class C, or all 0.0.0.0 (open to all IPs), allowed host checking does not support class B IP range.
 
donv said:
Have a WC8 now set up as a "Garage Management System" and I would like to enable internet control securely. It is currently off the network. I know the board is not recommended to be directly connected to the internet, so I am curious as to how others have done this... a simple search has not turned anything up with details.
 
I do have a persistent Linux server on my home network and was thinking of setting up an internet-facing https secured login (.htaccess protected) page(s) on that which would connect across the home net to the WC8 to send/receive status commands via the documented cgi interface, with the password access on the WC8 disabled (as I understand it must be for scripted interfacing?).
 
Is this the best solution or are there other options I should consider? Any existing examples I could see or code to scrounge?
 
As this would control direct access into our home via the garage doors, I would like it to be robust. I hope to avoid doing something like VPN in order to keep it simple for my spouse, but I do have a Tomato powered router/firewall that is capable.
 
I have found the info on using stunnel for gmail hosted alerts and will set that up on the Linux box.
Click to expand...
 
 
I was using coding of the transmitted data when reading from the server. You have to think about your own time based rolling code. Unfortunately we are forced doing things with the WC, which are not state of the art. I hope CES and IoT will motivate CAI to advance more quickly in terms of:
- security
- usability
- stability
- versatility
 
WC32 does support SSL enabled email sending. 
Since WC32-IO is ready -- we co-developed with Ross based on his successful WC8-IO board, WC32 will be available to the market.
Ross carries them.
 
CAI_Support said:
WC32 does support SSL enabled email sending. 
Since WC32-IO is ready -- we co-developed with Ross based on his successful WC8-IO board, WC32 will be available to the market.
Ross carries them.
Click to expand...
 
in the long run SSL for WEBSET  and a new WEBGET would be good.
 
CAI_Support said:
192.168.1.0 will allow up to 253 host IP address to connect to it.
Allowed host restricted to class C, or all 0.0.0.0 (open to all IPs), allowed host checking does not support class B IP range.
Click to expand...
please clarify. .0 is equal to. * ?
 
CAI_Support said:
No, GUI takes 0 and not take * in GUI and firmware. But 192.168.1.0 means the whole class C
Click to expand...
 
sorry again, only 192.168.1.0 or any address within class C?
 
Efried said:
sorry again, only 192.168.1.0 or any address within class C?
Click to expand...
 
192.168.1.0 is not a valid address for a host in the 192.168.1.0/24 subnet.
Therefore, it cannot be "only 192.168.1.0" and the only logical conclusion is that (as stated) it means "any host in the range 192.168.1.1 to 192.168.1.254"
(given that 192.168.1.255 whilst a valid address is not a valid host for the purposes of compliant subnet addressing, as .255 is reserved for broadcasts)
 
rossw said:
192.168.1.0 is not a valid address for a host in the 192.168.1.0/24 subnet.
Therefore, it cannot be "only 192.168.1.0" and the only logical conclusion is that (as stated) it means "any host in the range 192.168.1.1 to 192.168.1.254"
(given that 192.168.1.255 whilst a valid address is not a valid host for the purposes of compliant subnet addressing, as .255 is reserved for broadcasts)
Click to expand...
 
"only"was referring  to the input in the field, so my question is still valid.
 
You must log in or register to reply here.

Similar threads

J
Need VPN for foreign travel
Replies
4
Views
173
JimS
J
BraveSirRobbin
Needing Remote Access Advice
Replies
6
Views
313
BraveSirRobbin
BraveSirRobbin
pete_c
Securing the Smart Home Network: The Risks of the IoT
Replies
3
Views
283
sic0048
S
J
How to monitor quality of internet connection?
2 3
Replies
36
Views
1K
pete_c
pete_c
M
Troubleshooting network connectivity issues
Replies
12
Views
441
dwalt
D
Back
Top