My setup is using port forwarding with an Apache reverse proxy for remote access, not a reflector. I acknowledge that it's possible that using the reflector service could mitigate (or completely eliminate?) this risk, but the reflector service is a "black box" to me, and I won't use services for home automation that I don't control unless I absolutely have to.
Currently, Indigo Server logs invalid access attempts when they're detected. For example:
- Code: Select all
access denied "http://10.0.0.12:8176/" from admin @ 1.2.3.4
I understand that there are other options available to block IP addresses when certain criteria are met, such as fail2ban. I enabled fail2ban on my Apache server to catch HTTP 401 events and block the offending IP address. This works well, but it immediately blocks my phone's public IP address as soon as I try to use Indigo Touch. In this scenario, I'm logged into Indigo Touch with a valid user and password, but fail2ban is blocking my IP because it appears that the app frequently triggers an HTTP 401 request with every other request that's sent to Indigo Server. Here's an excerpt from my Apache log that's being matched by fail2ban:
- Code: Select all
my.phones.public.ip - - [01/Mar/2020:09:04:30 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:31 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:34 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:34 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:37 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:37 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:40 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:40 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:43 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:43 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:46 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:46 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:49 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:49 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:52 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:52 -0500] "POST /serverrequest HTTP/1.1" 200 727 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:55 -0500] "POST /serverrequest HTTP/1.1" 401 6744 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:56 -0500] "POST /serverrequest HTTP/1.1" 200 6647 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:58 -0500] "POST /serverrequest HTTP/1.1" 401 824 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
my.phones.public.ip - - [01/Mar/2020:09:04:59 -0500] "POST /serverrequest HTTP/1.1" 200 6647 "-" "Indigo%20Touch/2.1.2 CFNetwork/1121.2.2 Darwin/19.3.0"
If IP address blocking can't be built into Indigo Server, then my fallback feature request is to prevent the Indigo Touch client from triggering frequent HTTP 401 responses even when the user is logged in, which will allow the use of fail2ban to prevent brute force hacking attempts.