Indigo Domotics

I keep getting lines like these in my useless Apple Firewall log every minute:

Pytho: Allow TCP CONNECT (in:1 out:0)

The only reason I have Python exposed is Indigo.

Should I be worried?

Lasse

Using prism? If you are, if you disable it, does this log entry go away?

No, I'm not using Prism. I have no-ip.com set up with a domain.

Come to think of it, I'm using uptime monitor to ping every five minute, but I'm getting hit more often than that.

Now I'm thinking of getting a dedicated system instead of having my home automation system possibly vulnerable on a Mac.

If ANY system is internet accessible, it's potentially vulnerable.

And if you can manage without internet access, why not just turn off remote access to Indigo?

The question is to what degree leaving Python open to the internet exposes my system to hackers.

Topolino wrote:

The question is to what degree leaving Python open to the internet exposes my system to hackers.

What do you mean by that? Python is a programming language, not an application. Python by itself doesn't maintain any network connections, so it can't be used as an attack vector.

What Python application is hitting your firewall?

FWIW, I don't much care for the Apple provided firewall. If you really want to control what applications can open what ports on your Indigo machine, install Little Snitch.

https://www.obdev.at/products/littlesnitch/index.html

If you're not using reflector the only port you need open for remote access is 8176 (unless of course you've got some plugin/script that requires something else but you'd know if that was the case). This isn't encrypted by default (reflector is recommended) but you can setup a reverse proxy to secure it if you wish. Just search the forum for 'reverse proxy' and i believe there's a post that tells you how to do it.

Now I'm thinking of getting a dedicated system instead of having my home automation system possibly vulnerable on a Mac.

FWIW, dedicated systems more often than not have more vulnerabilities than a properly configured computer; this obviously isn't true for those rare devices which are properly locked down using industry best practices -- but I've seen FAR more vulnerable standalone systems. I've taken advantage of a few of them in order to control for HA in fact.

Indigo starts up a Python process that is what's used for the RESTful API and Indigo Touch. It opens port 8176 (by default) and that's specifically what your firewall is asking about. It's not asking for generic access to Python (which, as was pointed out above, is an interpreter and doesn't open ports on it's own).

The Indigo server also opens port 1176 (by default) and that's what the Mac client uses to talk to the server.

They both use the authentication credentials that you specify in the Start Local Server dialog.

My title should be "this thing is too secure". Even I can't access it.

I access Indigo using the iOS app and so employ the port 8176 interface. My issue is that about once a week the OS/X firewall blocks access to that port and I have to correct it by logging in, stoping the Indigo server and restarting it. When I do that I get the prompt:

Do you want the application "Python.app" to accept incoming network connections

along with a "Deny" and "Allow" button. I'm pretty sure this prompt comes from the OS X firewall, because if I disable the firewall, I don't have the problem. I have set the firewall options to allow incoming connections for both indigoServer.app and Python.app. However I still get those prompts and need to click on allow so I can reach the Indigo server.

I am running El Capitan (10.11) on a Mac Mini, but I was seeing this same behavior under 10.10 as well. To try and debug the problem, I've loaded Indigo on my Macbook and tried to access it over a couple of weeks. For the test, I did not see the same issue.

The biggest difference between the Mac Mini and the Macbook is that the Mini is running OS X Server 5.1.7 ( and previous versions). Server has Profile Manager, Websites, File Sharing, Cacheing, and Open directory enabled and all other services disabled. I haven't tried disabling Server and doing the same test yet, because I need the service running.

Does anyone have some familiarity with OS/X firewall and why it would unexpectedly and randomly block Python.app? It doesn't do this for any other services running on the same machine (e.g. FTP, cache, etc).

Update: I completely removed OS X Server from the Mac Mini running Indigo server. Now I'm not getting the Deny or Allow buttons when launching Indigo, but I'm also not getting through the OS X firewall. If I turn off the firewall, I can access the web server on port 8176, when I turn it back on, I can't. I can access the server using a remote copy of the Indigo UI accessing using port 1176. In firewall options, I have the following applications listed as "allow incoming connections": IndigoServer.app, PluginProcess.app, Python.app, and (oddly) Indigo 5.app. Note that I'm using Indigo 6 and not 5. Really frustrating. This looks like it should work, but OS X firewall doesn't have much in the way of diagnostics to help debug.

Second update: I deleted all of the Indigo related firewall rules (using the "-" button on the Firewall options page). The stopped Indigo and restarted it. This resulted in two apps being added automatically. These are IndigoServer.app and Python.app. The IndigoServer.app was set to "allow incoming connections". the Python.app was set to "Block Incoming Connections". I changed the latter to "Allow" and I was able to access the web server from a remote machine. This makes sense, but I'm curious as to why the Python.app automatically was set to block incoming. I'll watch it and update this post if it goes wrong again.

I don't use the OSX firewall. I use a good firewall on my router, and I use Little Snitch (https://www.obdev.at/products/littlesnitch/index.html) on the computer.