Changing Apache WAN port- HTTP security?

[Tim Phillips]

Is it a good idea to change the default port for the Weewx server on my Pi from 80 to something else that's not so common? I'd like to be able to access my weather station feed over from WAN but am hesitant to just port forward my Pi's IP address out into the wild on port 80. I have a password set for the Pi login already. On top of that, if it's HTTP, is the login password being sent in plain text over the connection? Do I understand that correctly? If somebody was snooping wouldn't they see it?

It's becoming increasingly worrisome all of these internet of things (IoT) devices are lacking decent security, so I've been focused on securing my IP camera's, NAS boxes, etc, lately. 

My understanding of how my Weewx on my Pi is:

Weewx running as a daemon (service/background process).

Apache2 is the web server so a user can access the Weewx service (daemon) from a browser on LAN/WAN (if port forwarded).

     - Apache2 runs in the background and is the "gatekeeper" to the services that request a browser-based information request.

          - Services get access through the Apache server to the destination port it's assigned to. In Weewx's case it's "/weewx". 

BUT, if the port to Apache is 80, and that directs to Weewx, then how would I set up multiple WAN access, say if I had a webcam service running on the same Pi?

Hope some of that made some sense...

          

[Andrew Milner]

The first thing you need to grasp is that your web server is NOT part of weewx!!

Weewx will put your webpages wherever you tell it to - on the same machine or a remote machine.

The web server and it's permissions and access are outside the realms of weewx!!

You can either have weewx PUT the generated pages WITHIN your web server page hierarchy - or you can leave the pages in /home/weewx/public_html and direct your web server to access them at that location (by using a symlink or similar).

You can run apache or lighttpd on the same machine as weewx, on a separate machine on your local network, or even hosted at a remote web hosting site - the choice is yours!!

All that weewx needs to know is where to build the pages, and where to transfer them to if necessary.

Access to the generated pages is under the control of the web server - a server for which you are the administrator or a remotely hosted server - the choice is yours.

[Tim Phillips]

Thank you for the help.

I'm running Apache on my Pi that's on 24/7. So any changes I wish to make to the WAN access will solely be through Apache's setup, if I understand your response correctly. 

I have Weewx send the weather data to the weewx stations map as well as Weather Underground. The weewx stations URL I used directs to the Weather Underground site, so I'm not directing the public to my Pi address...

[Andrew Milner]

It's up to you entirely!  There is more to website security than the port being used.  A true hacker will likely test all port numbers anyway if trying to obtain access.

Weewx is ignorant about your WAN, WAN access, and your web server - it just puts your data where you tell it to.

[vince]

On Sunday, October 9, 2016 at 10:10:00 AM UTC-7, Tim Phillips wrote:

My understanding of how my Weewx on my Pi is:

Weewx running as a daemon (service/background process).

almost certainly yes

 

Apache2 is the web server so a user can access the Weewx service (daemon) from a browser on LAN/WAN (if port forwarded).

no.  Apache does not talk to the weewx daemon at all.

It listens on the port(s) you have it configured to listen on, commonly http (tcp/80), and makes available whatever data or programs apache is configured to permit (typically, just a document tree).  Sometimes your web pages are executable (php typically) but most times not. Initially it's set up to just return data.

The default weewx output from the default skins is just data....html files and image files.  Other skins might have executable php content (saratoga templates to name one).  Again, the apache configuration must be set up to permit php files to execute, and there is additional software you'd install to do that.  There are a lot of apache-related packages.

     - Apache2 runs in the background and is the "gatekeeper" to the services that request a browser-based information request.

 

not really.   It's a daemon that listens on the port(s) it is configured for, and does what it's configured to do based on the apache config file(s).   Again, usually it just provides a way to read files using a remote web browser kind of interface, from a well-defined directory on the filesystem.

          - Services get access through the Apache server to the destination port it's assigned to. In Weewx's case it's "/weewx". 

no.   Apache makes some files (in locations defined by the apache config files) on the pi accessible via http or https, assuming those files are accessible by the non-privileged account the apache daemon runs as. 

 

BUT, if the port to Apache is 80, and that directs to Weewx, then how would I set up multiple WAN access, say if I had a webcam service running on the same Pi?

Again, apache doesn't really 'direct' to weewx, it can make weewx-generated output files available, if weewx puts it in a place apache is configured to know about, and if the files are set with the right permissions so the apache daemon can read them.

You would configure the webcam to accept incoming requests on another port typically, hopefully over https with a strong non-default password required to see the files.  This seems to be what most of the IoT break-ins seem to be exploiting....folks who just go shields-down in a insecure vendor-default configuration.

I'm not quite sure what you're asking about WAN vs. LAN access, but if you're a typical home user you likely have your LAN behind a gateway device that blocks all incoming WAN access, unless you forward particular ports through your firewall.

Be very careful here.  If you're asking the types of questions you're asking, I'd suggest doing it right might be a little above your understanding/expertise at this point in time.  By far the safest thing to do is to permit 'no' incoming traffic WAN=>LAN even through port forwarding.

[Tim Phillips]

So I've totally misinterpreted what Apache does for the weewx service....I'm super new to this so I'm sorry you need to explain these things like this. My WAN/IP education is limited to setting up a handful of foscam's on WAN manually as well as doing a RPi webcam project (RPi-Cam-Interface) which worked well.

I ALWAYS set a custom password on my stuff and change the username if possible. Actually, I decided to use my RPi as a weather station server because the Acurite "bridge" accessory gave no indication of how their security works, which I disliked. So I took it as an opportunity to learn all about it, hopefully via this project as a starting point. I was not keen on just plugging in their bridge accessory to my router and thinking that's A-OK. 

I appreciate the clarification!

[Andrew Milner]

This tells you how the bridge works:

http://moderntoil.com/?p=794

It would appear to me that the bridge has no real need for security as such since it only transmits data to acurite web site from your weather station using POST commands.  It's security is controlled by your own router, and it would only respond to incoming data when it switched to update mode to update its firmware.

[Tim Phillips]

An excellent read. I wish they would market the device better to people like me (us?) that require web security. I might have bought their product. Might still, in fact, after reading that.

It's important to take some caution to adding and trusting IoT devices.

--
You received this message because you are subscribed to a topic in the Google Groups "weewx-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/weewx-user/ot23QZHY15o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to weewx-user+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[vince]

On Sunday, October 9, 2016 at 4:28:39 PM UTC-7, Tim Phillips wrote:

So I've totally misinterpreted what Apache does for the weewx service....I'm super new to this so I'm sorry you need to explain these things like this.

oh geez, not a problem !!!!

I have punched inbound tcp/80 through my firewall years ago, but saw a lot of attempts to break the server in the logs, so I disabled it and instead upload my stuff to my ISP site via the nice rsync handler.   I've never had the guts to open up a port to permit webcam access, I read too many things about cameras being pretty risky.   So I pull a snapshot periodically for my weewx pages, and upload timelapse weather movies again to my ISP site.

If you push LAN=>WAN you're probably in reasonably safe shape, assuming you're uploading to somebody reasonably well known (WU to name one).

[Tim Phillips]

I'm OK with opening a port for FTP or a webcam but I try my best to make sure it's a secure connection. Strong passwords, HTTPS if possible, using a brand that's not off the Walmart discount shelf and MAC filtering if possible.

I still won't put a webcam inside my house though. So that says something...

I just like the ability to control my security and know what's happening vs blindly trusting some brand's server. There was a recent webcam breach where the company inadvertently allowed access to ALL users video somehow. Things like that are what keeps me tinkering on my own like this. Leaving it up to someone else at some unknown "server" doesn't make me comfortable. So, yeah, it goes beyond people simply not changing the default password. Anyway, I'm just taking this as an opportunity to learn more.

​

​

T​im​

[Andrew Milner]

Perhaps, just a suggestion, this topic is more suited to your webserver's forum (apache2 in your case) rather than weewx forum - since in the case of weewx there is no access TO weewx FROM anywhere - either LAN or WAN.  As said before weewx PUTS your webpages wherever you tell it to put them, and uses FTP or RSYNC to copy the files to other devices (servers) elsewhere if necessary.

Since you are so security conscious I assume you do not use a smartphone!! (said tongue-in-cheek)

--

[Tim Phillips]

Yes, I will move over to the Apache forum for additional info now. Started here first to see how exactly Weewx was reporting, and now I understand thanks to all those who chimed in.

COVER YOUR WEBCAMS!! haha/jk

To unsubscribe from this group and all its topics, send an email to weewx-user+...@googlegroups.com.