HA security question

aqus555 · November 30, 2024, 2:38pm

Hello, I have been running HA for years and have access through HTTP with port 8123 opened on my modem. Since it is not a secure connection, what could be the worst that could happen if a hacker gets into the system? They would first need my username, then guess my password, and also bypass two-factor authentication through Google Authenticator. Besides tampering with my lights, heating, etc., could they gain access to my server and network PCs?

HA is currently installed on VMware running on a Windows Server.

Additionally, I opened port 9 on my modem so I can turn on my server with Wake-on-LAN (WoL) when I’m not home. Some might wonder why. If I’m on vacation and there is a power outage, I have set my PC in the BIOS to automatically start when power is restored, but this doesn’t always work.

NathanCu · November 30, 2024, 3:32pm

You like to be owned huh?

Kill that port they can take over the box and use it to own everything else.

Three words

Zero day exploit.

And some need zero user input. Just the fact the door is there. You just gave them a door… This is absolutely not advisable at all.

You need something - ANYTHING in between that is designed to protect this. Nabu Casa or any of the multitude of ways to expose a port securely please.

Don’t just open the port. Oh yes once I own the box I can reverse engineer any credentials living there.

Rodrick · November 30, 2024, 3:32pm

Is there’s ever a security flaw with HA that can we exploited, that’s a risk. If you use a Vanilla password and username that can be exploited. If you overuse a password that gets exposed in a leak and you use it for your HA, that can be exploited.

Don’t tell anyone or advertise what ports are open on your system, you IP address follows you all over the internet, it is not safe to say I got this port open and that port open.

You can also open non-standard ports and use port forwarding on your router. Let’s say somehow an exploit is discover in HA, it is known, bad parties can start scanning IPs for open port 8123 and use the exploit if it hasn’t been patched. If you use a different port like 9, and forward it to 8123 and your HA machine. The lazy bad party will not know that your open port is for HA.

But someone is probably scanning your IP right now for open ports with non-patched exploits, just make sure you keep your system updated.

To my knowledge they are no exploits on HA and this current time.

NathanCu · November 30, 2024, 3:44pm

They scan all ports at once now and ID any open (this is profiling 101 and is part of any script kiddie toolkit)

A port is just a number don’t fall in the trap of its only 8123. I can pump any data oflvef any port. Once I lever it open and get the machine to execute code I own it

The fact it’s there unprotected is the problem.

aqus555 · November 30, 2024, 4:00pm

Understood thanks, I will remove the open ports now until I find other solution
Thanks for the insight