hi all
I have Siricata checking my network and I’m seeing strange calls to the outside world to duckdns… this is after I build a new HA OS install, and did a partial restore (restored folders and shares), and some apps (and this did not include duckdns, I did use duckdns before).
any idea how/where to find the remnants of duckdns and remove it…
G
Do you still have the duckdns URL specified anywhere in your configuration (including your secrets file)?
Do you still have the Certificate Expiry integration?
thats what I can’t figure out… was specified in the duckdns config, and in the nginx, both removed.
thinking the configuration might have downloaded a lets_encrypt cert (well know there was a cert from lets_encrypt),
might that be the cause, where would I find that?
don’t recall configuring anything like this… “Certificate Expiry integration”
G
You can check easy enough by looking at the Configuration / Integrations page.
Did you remove your SSL config from under http: in your configuration.yaml file?
http:
ssl_certificate: /ssl/fullchain.pem # <- remove this line
ssl_key: /ssl/privkey.pem # <- and this line
Have you searched the rest of your configuration files for the duckDNS URL?
Did you remove your port forwarding rule in your router (not the cause of your issue but it is a hole you should remove)?
so under my http: section, those lines have always been commented out, as that is what the instructions required, fo Duckdns/nginx/HA setup, similarly, when duckdns started having problems I switched to dynudns.
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem
I see I had external_url: “https://.ddnsfree.com:8124”
will comment this out. but sure this was for dynudns, not duckdns…
G
ok, so even with that external commented out still getting the calls to *.duckdns…
and no on the question re the cert expiry integration.
G
Yes. I had some security concerns, had fantom arm/disarm’s on my alarm system thats integrated via paradox alarm integration add on… so for now totally removed it, going to change how I get to my system and how/where keys are stored. going to be using cloudflare with reverse proxy, also want to configure my side (pfSense) a WAN rule that only allow the cloudflare servers to access the target port.
Did you remove your port forwarding rule in your router (not the cause of your issue but it is a hole you should remove)?
G
hmmmm
I redid that comment out of external and restarted the server, have to monitor… but havent had a call to duckdns the last 5 minutes that I can observe in Siricate.
G
confirm… removing the pointer to the current external, have removed all siricata alerts.
pretty sure that url was actually ddns owned by dynudns…
thanks.
G
well it seems it’s not resolved.
the alerts are back.
G
nginx setting perhaps (I know very little about the reverse proxy)?
nginx was there before the entire migration. I totally uninstalled nginx, duckdns, dynudns.
did the backup, build a new HA OS onto a new RPi4B, restored the folders, and only selected apps (the above was not there as it was not part of the backup).
G
Nope. If you removed the addon you removed the container with all the processes. It’s something in your config still using the URL.
not that I have been able to find.
nothing in configuration.yml or any of the other yml files.
G
dammmmmm… not finding any left over file/setting…
G
how to find it… I’m looking through everything and can’t figure out where it is.
G
Do you have the companion app on your phone/tablet and configured duckdns there? Did you search for your duckdns url in the hidden .storage folder?
You probably have an automation that is referencing the external URL? Or if you have the mobile app maybe that has the external URL setup to use the duckdns domain?
… think you might have it… the HA apps are still on the phones, ready to be used… it still have the external url specified, but thing is the mobile app pointing to the dynudns service https://.ddnsfree.com:8124, not duckdns url.
G
What about something like Wireguard is that installed? Also have you checked - Home Assistant Settings > General (scroll right down to the near the bottom) > External and Internal URL in there.