I couldnât find a similar discussion and also wasnât sure what section to put this in, so here goesâŚ
has there been any discussion of methods and best practices to keep our Blynk devices from becoming part of the ever-growing IoT botnet?
what device?
For me, the esp8266 but really anything that uses blynk I would expect.
Current botnets of IPs cameras were pretty primitive. Just network scanner + regular (default) password. Thatâs how it happened. With Blynk this is not possible as there are nothing like âdefaultâ password.
However in case you donât use SSL connection your token could be intercepted on itâs way to Blynk cloud. There not much we can do about that. You need to use either ssl connection (ESP supports it) or local server. Also for attacker there is no much interest in getting your token. As attacker can get access only to your hardware. While the real goal of botnets is money. With access to your hardware there is not much you can do with it 
.
my ESP âthingsâ all connect to my WPA encrypted home network, which i require a password for.
so you would have to be a pretty amazing hacker to get access to my home network (and consequently any of my hardware).
at least that is my understanding of it allâŚ
If you only access your things from within your house, never from outside your network, all is good.
If you can get at your things from outside your network, thatâs a hole that has to be protected and monitored or youâre asking for trouble down the line.
so you are more asking about network security than device security?
maybe @Lichtsignaal has some advice?
Always use up to date and valid certificates, even within your own network.
If you have Blynk server running local, use a complex password and install fail2ban (if you are running linux). Use a firewall and donât forward any ports.
Furthermore, donât worry too much. There is too much sht out happening al ready without you ever knowing or realizing it. You should take a couple measures, like I indicated, but you canât go around being paranoid all day worrying someone will turn off your light or see how warm it is in your house
5 Likes
lol I dunno⌠if my lights suddently started strobing without my doing it, Iâd be pretty worried! 
Well, itât not as bad as losing an entire database with privileged medical information, so itâs best to try and not worry too much. There are worse things in this world then re-installing your Pi with the local server every, say, 6 months.
2 Likes
Could you please explain how specifically protect my publicly available local Blynk server with fail2ban?
I can protect my sshd. But what about Blynk? What should I add to my /etc/fail2ban/jail.local to block bruit force on Blynkâs ports?
I wouldnât worry too much. Blynk already uses some non-RFC ports in that sense and the end-user is not very attractive for hackers unless itâs REALLY easy to get in and if you set your passwords and certificates itâs probably gonna be ok (never can be sure). The safest bet would be, imho, to install PiVPN and use a VPN client on your phone to connect to your home netwerk instead of via the Internet. That way you only have to open up tcp/443 and OpenVPN/SSL protection in fail2ban is probably easier than Blynk. With the added bonus you donât have to open 22 anymore (unless you want a 2nd way of having access to your Pi/network).
Iâm sorry for posting here but I want to say thanks because this topic helped me a lot