I’ve just installed my local Blynk server (as a Docker container) at my hosted server.
I see that a “local Blynk server” is recommended for better security. But it is true only for servers hosted in the private LAN (not accessible from the Internet). But I need it being accessible from the Internet (Android app, devices from several locations).
So I definitely need to secure it. Is there any best practices or something like this?
Remove default administrator
I’ve connected with the App, added a user.
Changed his “isSuperAdmin” property to True.
Changed default name and password (so in case of this user will be deleted a “default” admin created automatically will have “non default” email and password)
I publish only 9443 port
Non-ssl HTTP API and WebSockets 8080 and MQTT 8440 are not published (until I do not need in them).
I guess it is enough also for my ESP8266 (did not tried yet, prefer to secure my server before starting to actually use it)
At the same I’ve seen that 8080 is a must for the local Blynk server… Not sure…
How to configure fail2ban or something like this to block IPs after 2-3 unsuccessful connections?
Both for admin (https://…:9443) and from the App.
Multiple tries to present incorrect Auth Token?
Block the possibility to Create new accounts.
Only one account with several projects is enough for me.
Is it OK to use administrator account also for projects?
As it is a very bad practice to work under root I guess it is better to use an administrator account created on the Step#1 only for https://…:9443
I’ve created another account (isSuperAdmin=false) for projects (non-privileged user for the App)
Is there any sense?
Is it possible to stop the https://…:9443/admin and keep only App and devices connections to this port?
Administrative access is needed quite rare and I’d like to start it manually only when needed.
Any comments and suggestions are highly appreciated.