Over the past few days I’ve had some external internet probes that HA has filtered using the http.security_filter: -
Logger: homeassistant.components.http.security_filter
Source: components/http/security_filter.py:81
integration: HTTP (documentation, issues)
First occurred: 11 September 2024 at 22:01:27 (8 occurrences)
Last logged: 10:05:45
Filtered a request with a potential harmful query string: /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5("hi"));?>+/tmp/index1.php
Filtered a request with a potential harmful query string: /index.php?lang=../../../../../../../../tmp/index1
and
Logger: homeassistant.components.http.security_filter
Source: components/http/security_filter.py:87
integration: HTTP (documentation, issues)
First occurred: 11 September 2024 at 22:01:16 (8 occurrences)
Last logged: 10:05:36
Filtered a potential harmful request to: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
Filtered a potential harmful request to: /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
I just think it would be a good idea to have a security category on the forum that users could paste their logs containing such messages, so that HA developers can see what we are getting out in the wild that may help them improve HA’s inbuilt security features?
Hi Evan,
Consider this.
I am a volunteer. But even if I were an NC representative, you show me a link like that and I tell you to ignore it, then the next day someone gets into your system and steals something. Is it my fault? Are you going to sue me for that?
I’m not telling you what to do with this, but my thought is having a category like that would be asking for problems.
My suggestion would be to add a question like that to configuration here, or (starting next week) start your own forum thread on Discord with such a question.
Personally I will not be answering it, but someone might. Generally you should figure out where they are getting access like that or what else on your home network is compromised. Run a virus scanner on everything. Look at your router for open ports.
HA is not designed to be an interfacing service and design decisions might be putting more weight on convenience than security at times.
It is an user choice to make their HA installation available on the internet.
If you ask on the forum for a way to do that, then VPN will always be the best way.
Portforwarding will always be an inferior solution, but some setups with cloud services require it that way. It will be up to the user to accept the lesser security for the hoghe convenience of those cloud services.
The choices an user do to make their HA installation available on the internet can be many and varying, and also depending on their current setup with hardware and service providers, so it is often impossible to guide the user precisely to a solution.
The forum can often only push the user in a direction, which might be correct, but at other times also wrong, because the forum often do not have the complete picture.
And just FYI. what you are seeing is a well known and very common attack for Home Assistant installations that use port forwarding. This vulnerability was fixed ages ago though and now just logs the attempt for your information. So the attacker is either a script kiddie or just hoping you have never updated your Home Assistant installation.