Classic - web monitoring summary?

Started by cabinrob, February 04, 2015, 06:21:44 PM

Previous topic - Next topic

cabinrob

Hi,
I'm new to this forum and looking to upgrade my solar system with a Classic 200.
I've been searching the documentation and forum for info on monitoring the Classic over the web.
So far, I haven't found a good summary.
Here is what I'm after:
My installation is at a remote cabin.  I have an internet connection - but it is via a cellular modem - hence data is expensive.
I would like to (securely) monitor my charge controller.
From what I can see, exposing the Local App to the internet is not a good idea.  There doesn't seem to be any security.  Even if a remote user cannot change any settings, allowing access to any data is not good.  From my modem/router logs, I can see that there are "people" all over the world who seem to have nothing better to do than sniff for open ports and then try to access whatever they find.  No login security and interesting data means that people will be viewing and playing - which all eats up my expensive data plan.  Why isn't there a simple user/password for the local app interface?
As for the My Midnight App - I am guessing that it pushes data to the Midnight servers?  Can I limit the amount of data that is sent?

Bottom line - I am interested in a very simple, secure, low bandwidth ability to see the status of a Classic over the web.  Is this capability available?

Rob

RossW

Quote from: cabinrob on February 04, 2015, 06:21:44 PM
Bottom line - I am interested in a very simple, secure, low bandwidth ability to see the status of a Classic over the web.  Is this capability available?

Simple answer: "yes"

More complex answer: If your cellular router supports it, port-forward a specific port (outside) to the classic (inside) port 502 for modbus. Lock the router to only permit the port forward from your trusted IP addresses.
You can read pretty much anything via modbus. (Check other threads here, I think the "black box project" includes work from multiple people including me)
3600W on 6 tracking arrays.
7200W on 2 fixed array.
Midnite Classic 150
Outback Flexmax FM80
16 x LiFePO4 600AH cells
16 x LiFePO4 300AH cells
Selectronics SP-PRO 481 5kW inverter
Fronius 6kW AC coupled inverter
Home-brew 4-cyl propane powered 14kVa genset
2kW wind turbine

xsnrg

If you so desired, you could set up a BeagleBone or a Pi as a VPN server (OpenVPN).  Run a webserver or other data viewing/gathering apps directly on the BB/Pi so that it is only moving data when you connect to it to save bandwidth money.  Alternately, you could connected to it by some automated process periodically and pull down data, then disconnect to view locally at your leisure.  Data aside, having the VPN server only takes about 1-2 watts of power, gives you the ability to monitor other things about the network or even the environment at the cabin (The BB has a LOT of I/O capability, so temperature, etc can be monitored).
3x 250w Renogy RNG-250D
1x MidNite KID w/WBjr and MNBTS
1x 12v 100Ah el cheapo deep cycle
1x 300w PST-300-12 Samlex pure sine
http://www.howardweb.org/weather/solar/index.html

cabinrob

Thanks for the answers.
Interesting, I have a fixed IP address at the cabin - but can't get a fixed IP address at home - so securing the connection by router rules is difficult.
My simplistic view of all of this is:  I have a $99 webcam at my cabin.  I can assign usernames/passwords on this webcam and can view live data as well as have the cam send me emails when something interesting is happening.
Why isn't this sort of functionality supported in devices like the Classic?  In this connected world, it seems like this should be trivial.
Currently, I have a Xantrex C40 as a charge controller.  I can monitor it easily.  How?  I just pan my webcam to look at the display.  Kind of a low tech/high tech solution.  I was hoping that on upgrading to the latest and greatest charge controller technology, there would be a simple out-of-the-box solution.
I'm currently working on setting up an Arduino at the cabin - that yes, would monitor temperatures and a host of other things - but - I fear that this project might go the same route as other attempts to write/build a web interface - good intentions but a nightmare to support or augment.
I was really hoping for a simple solution.....

TomW

I wonder if you could use ssh via a port forward to initiate a tunnel back to your phone for the app or just to monitor things via a modbus collection script?

Must be dozens of ways to get there?

I don't use / have a cell phone so no clue on their capability.

ssh would require a login over the secure link and stop open access.

Anyway, just a general concept.

Tom
Do NOT mistake me for any kind of "expert".

( ͡° ͜ʖ ͡°)


24 Trina 310 watt modules, SMA SunnyBoy 7.7 KW Grid Tie inverter.

I thought that they were angels, but much to my surprise, We climbed aboard their starship and headed for the skies

atop8918

By default the Classic is equipped with "no write" access enabled, although this is by no means secure in the long term. It also transmits "in the clear". MyMidNite does use an encrypted connection, however the currently released firmware is fairly data hungry. I am sitting on a new release which considerably dials back the data use. MyMidnite traffic with the latest firmware release should be less than 328,320 Bytes per day which is less than 10 MBytes per month.


cabinrob

In my original post, maybe I "mis-spoke" a bit.  When asking for "security," I wasn't really expecting a "secure" encrypted connection.
My hopes were a bit more modest - just a simple username/password option through the Local App.  That way, if I expose the Classic to the web, at least the curiosity seekers are stopped by a login prompt.  I'm basing this request on what seems to be pretty standard on various web-cams.
I guess it is easy to ask for this, but since I'm new to MidNite Solar equipment and don't yet understand the architecture, maybe I'm asking for too much!?!

TomW

Quote from: cabinrob on February 06, 2015, 09:48:09 AM
In my original post, maybe I "mis-spoke" a bit.  When asking for "security," I wasn't really expecting a "secure" encrypted connection.
My hopes were a bit more modest - just a simple username/password option through the Local App.  That way, if I expose the Classic to the web, at least the curiosity seekers are stopped by a login prompt.  I'm basing this request on what seems to be pretty standard on various web-cams.
I guess it is easy to ask for this, but since I'm new to MidNite Solar equipment and don't yet understand the architecture, maybe I'm asking for too much!?!

Well, you cannot change any settings from the Local App unless you enter the Classic's serial number into the App. That does not stop viewing, however.

Just FYI

Tom
Do NOT mistake me for any kind of "expert".

( ͡° ͜ʖ ͡°)


24 Trina 310 watt modules, SMA SunnyBoy 7.7 KW Grid Tie inverter.

I thought that they were angels, but much to my surprise, We climbed aboard their starship and headed for the skies

Bob D

Cabinrob: I have exactly the same situation (remote; cell modem, expensive data), and I use MyMidnite for keeping an eye on things.
Then, if I see something that needs a tweak, I open Local App temporarily.
Letting MyMidnite run uses about 2.5 mb per day, so on a monthly basis I am usually just below my service providers 100Mb first tier service ( $10 per month).
If I use Local App much, I usually go over the monthly 100 Mb
Thought this info might help your decision.
Oh yeah, the sub 100Mb monthly use includes a similar monitoring of my Magnum inverter.
It is a bit of hassle to open and close the ports on my router when I want to use LocalApp, and there is some potential security breach possible for the short time I have it open, but I think it reduces the risk to trivial levels.


somewhat related - I cannot clear the panels of snow in the winter, and found that running the inverter all the time (about 900 w-hr/day) could eventually draw down the battery to a level at which freezing became a potential.  I installed a 24v/12v converter to directly power the cell modem, and reduced the daily power to about 300 w-hr, at which point the batteries can last over a month without sun, and still resist freezing to -25C or so.  FWIW 
Classic 150, Magnum 4024, 12-215W panels, 12-85-13 forktruck battery

atop8918

TomW nailed it: there is simple authentication on the Classic already. The device is Read-Only unless you Write the serial number to the appropriate unlock registers. This is done automatically by the Local App once you enter the serial number in the Config menu the first time through.

cabinrob

Replies to the replies:
How much data is being sent while the Local App is open?  I.e. if there are curious people out there, and they happen to be viewing the Local App data all day - how much data moves?  Is there any documentation on what the communication between the Local App and the Classic looks like?

Using a serial number for security isn't really security.  Once the number is compromised, since it (I assume) cannot be changed, all security is gone.  A simple script could presumably blindly try serial numbers with the correct number of characters and may crack things with a bit of help knowing something about possible patterns.  I believe I saw somewhere on the forum that one could read the serial number from a register?

So far, one of  the simplest solutions appears to be the one posted by Bob D - that of temporarily creating a port-forwarding rule.

As with Bob, I also have a DC-DC converter on my router - and end up using about 200 WH / day.  That includes a webcam.  Something that I found useful was putting a timer on the modem/router.  I had many instances when the modem would lose its connection.  The carrier would simply say - reset the modem.  Easy to say, very hard to do!  I then set up a timer so that it turns off the power for two minutes a couple of times a week.  This forces a reboot and reconnect.   For my "optical interface" to my current charge controller, weather station, battery monitor etc, I have a second webcam.  To save power, I have another timer which only turns on the second webcam for a short time a couple of times a day.  This is enough to see the health of all systems.

atop8918

Yes, you are correct,  the serial number is NOT secure -- it is intended as a failsafe to to keep reading as reading and writing as writing.
The Local App does not push any data to mymidnite, it communicates only between the Classic and itself using basic MODBUS/TCP. The Local App is very data heavy as well -- it is meant for local network connections although it can be re-purposed for remote connections it is not designed nor well-suited for this purpose.
You would be well served to setup a local data polling system using RossW's app or similar and then push or pull that data to/from your remote server on a timely basis using SSH or something REALLY intended for remote connections. We will have a considerably improved MyMidNite protocol released soon which will dial back the current data use considerably. That is encrypted up the server and also requires a TLS connection on the HTTP-side. It is only one-way, though which definitely limits its usefulness.

mike90045

Isn't the Classic limited to 1 connection ?  If I leave the local app running in the battery shed, I can't connect at the house, unless I walk back over and disconnect the android.
So a hacker would have to log into your wifi, have a local app, wait for you to disconnect, before he could play games.  and you would know something is up, when you can't log on anymore.
http://tinyurl.com/LMR-Solar

Classic 200| 2Kw PV, 160Voc | Grundfos 10 SO5-9 with 3 wire Franklin Electric motor (1/2hp 240V 1ph )| Listeroid 6/1, st5 gen head | XW6048 inverter/chgr | midnight ePanel & 4 SPDs | 48V, 800A NiFe battery bank | MS-TS-MPPT60 w/3Kw PV

dgd

#13
Quote from: mike90045 on February 08, 2015, 05:58:52 PM
Isn't the Classic limited to 1 connection ?  If I leave the local app running in the battery shed, I can't connect at the house, unless I walk back over and disconnect the android.
So a hacker would have to log into your wifi, have a local app, wait for you to disconnect, before he could play games.  and you would know something is up, when you can't log on anymore.

Haha, I never imagined a positive spin could be made of the single Classic user tcp connection. But you are correct.
But you are wrong also. The second tcp connection reserved for the MyMidnite server connecting to your Classic is where the hacker will be, or is, or has been.
If security concerns you then make sure your MyMidnite connected Classic is NOT on the same LAN that has your private PC/laptop.
If you have address books, financial info on that PC then make sure you have very uptodate malware detection capability.
It is near impossible to detect an intruder or their activities if they use the MyMidnite tcp connection simply because the link data is encrypted and you have no way of monitoring or checking on that data.

dgd
Classic 250, 150,  20 140w, 6 250w PVs, 2Kw turbine, MN ac Clipper, Epanel/MNdc, Trace SW3024E (1997), Century 1050Ah 24V FLA (1999). Arduino power monitoring and web server.  Off grid since 4/2000
West Auckland, New Zealand

atop8918

#14
Well that was one of the intentions of the one TCP listen port -- to keep an always open monitoring service like the local app attached which would preclude anyone else getting in.
The MyMidNite connection is outgoing only, the Classic will not accept any incoming connections on it. It also guards against session hijacking using session-only keys and a matched certificate to and from the server.  To keep things in perspective All https web traffic is also encrypted so you are also at risk from not being able to see what is going on between a compromised PC and whatever it is connected to. Try a netstat -an from the command line and you will see your computer connected to all kinds of interesting places for which you have not given explicit permissions! Then try to figure out if it's a CMS connection, a bloody google service, or a keystroke logger using wireshark. Most malware scanners will not scan your harddrive firmware nor will many detect rootkits, nor will they detect firmware viruses on USB keys, nor is there anything that will scan a printer for problems. 

Dgd has called it though: to be safe put your Classic or monitoring PC into a DMZ or a separate subnet off of your router and then you won't have to worry about a compromised device messing up the rest of your network. Keep in mind that devices from printers to refrigerators are open to hacking these days so err on the side of paranoia. Both the Ozzy Osborne and Aluminum Foil hat kind.