Block remote access

[hvb83 1]

Following the issues we're currently seeing with the ransomware issue for Synology, this has made it more clearer to me as to why the home.fibaro.com thing is nice, but in my case absolutely not acceptable. I can understand that it makes things easier for people to configure without port forwarding or VPN'ing etc.

Although I don't expect villains to actively hack your system to get access to your home, it's simply not nice to know it would be possible to hack the system and abuse it for whatever reason.

How can you block all access to the HC2 in such a way that the only way in is through a VPN-connection?

[j.nowacki 5]

hvb83, if you don't want to use home.fibaro.com you can always remove your HC from account, and then the security of your controller will be the same as of any device in your local network.

[hvb83 1]

I know this is possible, but as I understand it, this is something that is controlled from the fibaro server. So if that server is somehow compromised in the future, I don't have control over who has access to my system. I know it's a 2-layer security, but I'm guessing somebody who can hack into the server, won't have a hard time hacking into HC2 after that.

What traffic or ports should be blocked in my firewall/router in order to prevent any communication between HC2 and the server from being possible?

Please don't get me wrong, I'm not saying you don't have the security in place or that I could do it better myself. But considering what has happened to Synology, it has been shown once more that the consequences of a major hack can be massive, especially if you have the heating or doors connected to the system. I would like to prevent that as much as possible.

[j.nowacki 5]

hvb83, I investigated this issue carefully. It is your HC unit that connects with home.fibaro.com therefore to stop any communication between them all you need to do is to disable remote access in configuration panel.

[akatar 208]

is it possible to connect without home.fibaro.com outside my home to the hc2?

i want to connect to my hc2 from anywhere, but i prefer without home.fibaro.com

can i open some ports in my router?

[sve 1]

what I did is to open a port for fibaro (eg. 1234) and forward that port to the ip of the HC2 to port 80

external port 1234 -> 192.168.0.x 80

It can be done using a apache reverse proxy but this requires you to have apache running on another system

[j.nowacki 5]

akatar, It is not recommended. But you can always configure VPN connection.

[akatar 208]

i don't have apache running and i don't want a vpn.

i had hope that it could be done the easy way

[sve 1]

just do what I mentioned earlier...

forward a port on your router

[akatar 208]

what i want it with the fibaro app

[sve 1]

that's no problem...

@HC IP fill in your external IP with port number:

xxx.xxx.xxx.xxx:yyyy

replace the x with you IP (or hostname) and the y with the port

[j.nowacki 5]

Users, please notice, that such action will make your HC available for anyone and that our device was not meant to work in such configuration. Please use home.fibaro.com or VPN instead.

[MalvinYNJ 4]

Agreed with j.nowacki, port forward is NOT encouraged as the chances of being compromised compared to using the home.fibaro server is higher. Please do take responsibility in using port forwarding. As long as anyone has your ip address, controlling your system is not an issue at all.

[Guest Kuuno]

connecting over home.fibaro.com takes ~15-20s

connecting directly takes ~7-10sec

camera feed is very slow over h.f.com

camera feed is good if connected locally

use a IPS device in the middle to protect against hacking...

[CopyCatz 4]

I agree with Kuuno, if you have a little bit of understanding about webservers and SSL, put an nginx server (raspberry pi is very light) in front of the HC and use only authenticated SSL to remote access your server directly. I don't want to rely on an external party with a backdoor into my house, coupled with the fact that the HC api sends all sensitive data (like webcam passwords) in plain text... All your data will pass fibaro hq so think about what you are doing. Also the connection issues through the fibaro server these last months forced me to come up with this solution so I can keep using the app when there are issues @ Fibaro.

[elmips 4]

I totally agree, but guys, consider that all the user aren't able to configure such a system and are please to have a simple remote acces through fibaro's proxy.

anyway I have to agree with the lack of security sending password in plain text...

Please login or register to see this image.

/emoticons/default_icon_curve.gif" alt=":-/" />