Setup your own hydroMazing

Setup and Use hydroMazing

  • The Controller ( Arduino Nano Expansion Board with nRF24L01 and DHT sensor ) uses 433MHz Transmitter to send codes to remote-controlled AC Outlets or can connect directly via a transistor, MOSFET, or relay.

 

  • Raspberry Pi Web Services Module ( with nRF24L01 ).

 

  • Optional The Advanced Controller ( Arduino Nano Expansion Board with nRF24L01 and uses 433MHz Transmitter to send codes to remote-controlled AC Outlets or can connect directly via a transistor, MOSFET, or relay.  Supports additional sensors:  E.C., pH, Light Intensity, more floats and flow-rate sensors.

 

  • Optional Web-Camera using Raspberry Pi ( with USB Web-Camera ).

 

  • Optional Zone/Node Controller(s) ( Arduino Pro-Mini with nRF24L01 connects directly via a transistor, MOSFET, or relay.  These units are solar-powered with a battery backup.  Also, supports additional soil-moisture sensors.

 

  • Optional The Monitor (Arduino Nano Expansion Board with nRF24L01 ) connected to an Arduino Uno with LCD w/ Buttons Shield.

Each module requires a standard 5 volts power source such as USB.

Setup hydroMazing

Plug-in appliances to their corresponding remote controlled AC switch units:

  1. Intake Ventilation Fan
  2. Exhaust Ventilation Fan
  3. Humidifier / Other
  4. Heater / Additional Lighting
  5. Pump(s)
  • Install the hydroMazing Controller Unit inside the growing area.
  • Provide power to the controller and monitoring devices.

hydroMazing’s default sensors:

  • DHT ( Temperature and Humidity ) Sensor
  • Dallas Temperature Probe Water Temperature Sensor
  • Flow Rate Sensor
  • Float Switch – Low water level
  • Float Switch – High water level

The hydroMazing controller is designed to operate ventilation fans for air circulation, water pumps, occasionally a humidifier, heaters, or any other appliance that is necessary to maintain an ideal environment for plants to grow.  Monitoring and controlling the system is mostly done for us, but when the hydroMazing needs to alert us to a problem it can by using the Raspberry Pi.

Using float switches:

  1. Top float switch used to indicate vessel is full of liquid.
  2. Middle float switch provides warning or triggers a pump to refill.
  3. Bottom float switch turns off pumps and notifies attendant that vessel is out of liquid.

Using the flow sensor’s data we can determine the flow rate of the liquid being pumped.

Hook Up Your Raspberry Pi

Connecting all your devices to the Raspberry Pi is very easy, but you want to do it in a specific order so it can recognize all your devices when it boots up. First, connect your HDMI cable to your Raspberry Pi and your monitor, then connect your USB devices. If you’re using an ethernet cable to connect to your router, go ahead and connect that as well.  Finally, once everything is connected, go ahead and plug in your power adapter. The Raspberry Pi does not have a power switch, so once you connect the power adapter, it’ll turn on all by itself.

Connect to Your Wi-Fi Network

Connecting to your Wi-Fi network works the same in Raspbian as it does it any modern operating system.

  • Click the network icon (it’s the one with two computers) in the top right corner.
  • Select your Wi-Fi network name, and enter your password.

That’s it, you’re now connected to Wi-Fi. This will work in both the command line and in the graphical interface, so you only need to set it once. If you have an older Pi and you’re using a Wi-Fi adapter like this, the process is the same.

You have several devices connected to your WiFi router, so how can you tell the outside where you are serving-up Raspberry Pi?

Getting Online

The following section assumes you have an updated and upgraded Raspberry Pi 3 or equivalent, and installed L.A.M.P. (Linux.Apache.MySQL.PHP.)  Excellent article for getting started and RaspberryPi.org’s installing LAMP.

You have several devices connected to your WiFi router, so how can you tell the outside where you are serving-up Raspberry Pi?  Let’s get familiar with our router’s advanced settings in your router manufacturer’s configuration tool.  Most home networks use one of these common IP addresses for their gateway to the Internet:

place-wifi-router

You will need to login to your router’s configuration tool.  The username and password should have been assigned at the time of setup.  First, we need to reserve an IP address for our Raspberry Pi to use on a regular basis.  Typically, the router will have a DHCP (Dynamic Host Configuration Protocol) Settings section, List and Bindings, etc.  The Raspberry Pi and all other devices on your LAN should be listed here.  Hopefully, your router will have a somewhat intuitive interface that will make sense as to how to assign an IP address to a device or MAC address.  If all else fails, consult your manufacturer’s instructions.

decapi-slider-raspberry-pi-casenetwork-782707_1280-980x637

The default port for web requests is 80.  You can leave the default unless your Internet Service Provider doesn’t allow port 80.  Next step in your router’s configuration is to have the router forward all incoming requests on port 80 to the Raspberry Pi.  Typically referred to as, Port Forwarding or Port Range Forwarding.  You will want to associate the Raspberry Pi’s IP address so that it will receive all incoming requests on port 80 or whatever port you find most appropriate.  (The most secure web server is one that is not connected to the Internet 😉  The default port for SSL is port 443.  Next step in your router’s configuration is to have the router forward all incoming requests on port 443 to the Raspberry Pi.  Motion Web-Cam Streaming:  The default port for motion is port 8081.  Next step in your router’s configuration is to have the router forward all incoming requests on port 8081 to the Raspberry Pi.

You could also allow Telnet, FTP, SSH, VNC, etc but I do not recommend unless you are familiar with the security risks associated with such services.

Get Yourself A Domain Name

http://www.YOUR_CUSTOM_DOMAIN.ddns.net

Check for the DDNS ( Dynamic Domain Name Service ) Setting in your Router’s advanced configuration settings.  Most routers will support one or more of the following, http://www.dyn.comhttp://www.noip.com, many others search Google for “Dynamic DNS”.  The service will offer the ability to register a domain name to associate with the Dynamic IP address that is assigned to you by your Internet Service Provider.  Typically, your router or a software plugin that you download and install will update the Dynamic DNS service’s database when your assigned IP address changes.

Secure Socket Layer

https://letsencrypt.org/

Let’s Encrypt our connection with the Raspberry Pi.

Install

Rather than apt-get Cerbot, I download the latest version directly from its repo:

sudo git clone https://github.com/certbot/certbot /etc/letsencrypt

Easy SSL through Automation

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs:

sudo /etc/letsencrypt/certbot-auto

 

Your domain name for your hydroMazing should now be secure.

The Decider

 

The Coreconduit: Garden Controller System was the first version of the hydroMazing project .  The author of the Instructable drones on and on about healthy plants requiring attention and boredom until,

“…I’ve programmed into the Arduino a function I called, “TheDecider” that makes decisions based on maintaining optimum environmental conditions for growing plants. I added 2.4Ghz Wireless Radio Transceiver modules and a modular receiver system so that data is transmitted to within 1000 feet.”

TheDecider” was originally hardcoded with specific values that were fixed in place until I changed them in the Arduino sketch, recompiled, and uploaded.  There are two types of decisions that TheDecider executes, timed-based, and sensor-based rules.  The time-based rules simply compare the current time to the last time the appliance was turned-on or off.  The sensor-based rules use a minimum value threshold and a maximum value threshold that are compared to the current sensor reading and then execute the corresponding action for the appliance.  For example, if the temperature is below 55° then turn-off the ventilation fans; if the temperature is above 80° then turn-on the ventilation fans.  Each appliance has corresponding rules for sensor reading thresholds, time-based automation, and a combination of both, priority depending on the order of the rules.

Today’s hydroMazing uses the Raspberry Pi to provide an interface to the rules and the notifications.  The Pi communicates with the Arduino Nano microcontroller wirelessly sending updates and receiving data. TheDecider is a rules engine that executes the checks sent to it from the Pi.  The settings are stored in the EEPROM of the Arduino Nano allowing it to operate without further communications with the Pi.  hydroMazing doesn’t require an Internet connection to operate with the exception of receiving emails or text-alerts.  The Raspberry Pi can be configured to operate only within your WiFi network and be allowed to send emails and text-alerts.  Or, you can configure your router to allow access from outside and even assign a domain name, such as http://coreconduit.ddns.net.  See my Instructables for steps to a secure Pi.

 

Keep Fingers Out of your Pi

In my previous article , I explain how to setup the Raspberry Pi to be a web server.   I also demonstrate searching log files for “footprints” from the IP requests that have been made to your web server.  Now, I would like to discuss protecting your web server from becoming a victim to a potentially malicious attack.

Keep your Pi updated!

sudo rpi-update

The command will automatically update the Raspberry Pi’s firmware and then ask for a reboot.  If your Pi is already up-to-date, then you can continue with:

sudo apt-get update
sudo apt-get upgrade

Now, you’ve got the latest and greatest firmware and software!!

2016-11-04-092217_1920x1080_scrot

Pi Passwords

Ideally, we would disable the default pi account,  at the very least, set the default password for your pi account.  Another major in-security is that most users have SSH (Secure Socket sHell) and VNC (Virtual Networking Computer) enabled so that they can remote into their machines.  I don’t recommend allowing access outside of your network when running a publicly exposed web server.

Apache Web Server

If you are serving web content world-wide then you’ll eventually want to adopt some sort of blacklist, or exclusion list, where you can keep specific IP addresses from accessing your server.  However, if you want to tighten-down your security and only allow a select few access then you’ll need to make some changes.

cd /etc/apache2
sudo cp apache2.conf apache2.conf.bak
sudo vi apache2.conf OR sudo nano apache2.conf

Travel down the file until you reach this section that allows everyone access to your web server from the outside:

<Directory /var/www/>
 Options Indexes FollowSymLinks
 AllowOverride None
 Require all granted
</Directory>

The AllowOverride directive is set to None meaning we will not be using an .htaccess file to override these settings.  The next directive, Require is set to all granted, meaning allow anyone access.

UPDATE:  I have found a significant number of bot requests in my log files, snooping for those of Us using phpmyadmin, be sure to limit access:

<Directory /usr/share/phpmyadmin/>
Order Deny, Allow
Deny from All
# localhost
Allow from 127.0.0.1
# Local-Area Network
Allow from 192.168.x.x
</Directory>

Next, we can add a directory that we want to protect:

<Directory /var/www/html/hydroMazing/>
 Options Indexes FollowSymLinks
 AllowOverride All
</Directory>

The AllowOverride directive is set to All meaning we will be using an .htaccess file to override these settings.  We will provide the Require directive in our .htaccess file inside the directory we specified, in this case, “/var/www/html/hydroMazing/”   One last setting of importance before we save:

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

You could change the name of the .htaccess file here to something harder to guess.  Keep the dot at the beginning because it means hidden file.   Use your imagination 😉  Now you can use an .htaccess file as your whitelist, or inclusion list:

To create a .htaccess ( or whatever you’ve named it ) file:

cd /var/www/html/mydirectory/

sudo vi .htaccess OR sudo nano .htaccess
# Allow access to localhost 
Require ip 127.0.0.1

# Allow access to my cell phone
Require ip 98.97.34.23

Second entry is an example, change it to your IP address, or the IP address that your web server logged.  See my previous article for instructions on checking your log files.  Save and close the file.  You can add additional access as desired.

 

Build a Wallimg_20160814_195916221

Install the open-source firewall builder

Pop open a terminal from your Raspberry Pi’s desktop and type the following:

sudo apt-get install fwbuilder

After the installation has completed, you will have a new option under the Menu/Internet option from your desktop for the firewall builder GUI.

Add a new firewall and name it the same as your server.

 2016-11-04-090801_1920x1080_scrot

Select the “web server” template to load default rules.

Note that the default rules restrict your server from accessing the outside Internet.  In order to allow access, you’ll need to add a rule.  The easiest way to add a rule is to copy an existing rule that is similar to your needs.

2016-11-04-090900_1920x1080_scrot

Compile and Install

We can build our firewall through this interface, but we won’t be able to install it because we won’t have sufficient permissions to write to the file system.  Enter the following at a terminal window’s command line assuming you named your server the same as your DDNS name:

sudo mkdir /etc/fw
sudo touch /etc/fw/servername.ddns.net.fw
sudo chmod 777 /etc/fw/servername.ddns.net.fw

Now, you should be able to use the firewall builder program to compile and install the firewall.   You can either restart the apache web server or simply reboot.

Anything incorrect, missing, or not working?  Please let me know.