Port forwarding for ESP8266 - security

[SS]

Wondering if anyone can offer advice or point me to a good link:

I want to reliably access an ESP8266 at home over the internet, so gather I need to get a static IP address from my ISP and forward a port on my [TP-Link Archer D2] router.

What security do I need in place once I have a static IP address and port forwarded?

[Jeremy Poulter]

I have seen some things claiming to be a firewall for the ESP but I don't think they actually did anything useful. 

The biggest thing you need to worry about is the code on the ESP. you should check things like fixed buffers are not overrun and all inputs are validated. 

Another gotta is (assuming using Arduino libraries) the standard web server only handles a single connection so you should look at something like https://github.com/me-no-dev/ESPAsyncWebServer to be marginally less vulnerable to DoS attacks.

It also kind of depend on what the ESP is doing as to the amount of effort you put in. 

That being said I would look at the full system design. Do you really need the ESP Internet accessable? Could it connect to a server to that relays commands, eg could you use MQTT and Adafruit IO https://io.adafruit.com.

One more thing, you don't really need a static IP. Services like http://dyn.com/dns/ work really well and a lot of routers have built in support for it. 

Jeremy

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nigel Worsley]

On 3 January 2017 at 21:45, SS <1breaki...@gmail.com> wrote:
> Wondering if anyone can offer advice or point me to a good link:
>
> I want to reliably access an ESP8266 at home over the internet, so gather I
> need to get a static IP address from my ISP and forward a port on my
> [TP-Link Archer D2] router.

That would be one way to do it, but you are putting all of the
security burden onto the ESP8266 which is less than ideal for the
task. You are probably better off setting up your router to accept a
VPN connection, this would allow a remote computer running a suitably
configured VPN client to access your home network as though it was
directly connected to it. All of the security is handled in the router
and VPN client, so there is no requrement to add anything to your
ESP8266 code to stay safe.

Nigle

[Mark Robson]

What protocol do you use?

In my experience the esp8266 tcp stack is a bit unreliable with multiple connections, even just malware scanning your network could break it (I am assuming tcp here).

If it is http then it's possible to run a "reverse proxy" server somewhere in your network, and connect to that instead, which can do (e.g.) TLS termination (better than the esp8266, which has quite a poor ssl library, not really suprising as it's a microcontroller). A reverse proxy could also do authentication using a scheme of your choice.

Mark

On 3 January 2017 at 21:45, SS <1breaki...@gmail.com> wrote:

[Stuart Ward]

On 03/01/17 22:36, 'Nigel Worsley' via Reading Hackspace wrote:
> You are probably better off setting up your router to accept a
> VPN connection

Or set up ssh access on a machine that is in your home, then use that to
connect to the ESP. I would strongly recommend seting up key
authentication and disabling password authentication. There are so many
systems out there trying to connect to ssh.

Stuart

[SS]

Thanks for all the replies. If I'm being honest, about 40% of that is gibberish to me. I think it goes to show that I just know enough to be dangerous!

Solution: Going to try something like Blynk where the developers have [hopefully] covered all the bases and left me with a simple turn key solution for now.