Home Assistant security concern

jwelter · June 27, 2018, 1:28am

No cloud via their cloud service.

As mentioned I do use the echo devices via the hue emulation. Also Ecobee cloud, AWS Polly for TTS, dark sky, pollen and yahoo weather. But all those are outbound only.

No weird Chinese shit devices on my home automation network; just zwave+ devices with the exception of the above mentioned services.

jwelter · June 27, 2018, 1:35am

Duh - I am sorry everyone, I see this is a hass.io thread. I am running on a venv on ubuntu so not hass.io.

Really sorry for the hijack on the wrong platform… My bad - didn’t see it was in the hass.io area… But still be cautious with security - it seems something is going on…

lesonquan · June 27, 2018, 4:36am

Yes, I use cloud to integrate with Alexa.

nickrout · June 27, 2018, 5:08am

It shouldn’t matter how open your samba server is if you don’t expose it to the internet.

khabi · June 27, 2018, 5:57am

So I have an idea of what may be happening for at least a few people in this thread. Without seeing the full config for the http section its hard to be sure.

What I’m guessing is that people are using the trusted_network config along with use_x_forwarded_for. If you do that with a reverse proxy, its trivial to bypass the password prompt. For example, if I set up my HA install like this:

http:
server_port: 8080
api_password: !secret hass_password
use_x_forwarded_for: True
#My internal network is 10.0.0.*
trusted_networks:
- 10.0.0.0/16
ip_ban_enabled: True
login_attempts_threshold: 5

I can test it from outside my home network and it looks secure.

root@myhost:~# curl https://my_public_url_goes_here/api/
401: Unauthorized

But I can break it very easily:

root@myhost:~# curl --header “X-Forwarded-For: 10.0.0.1” https://my_public_url_goes_here/api/
{“message”: “API running.”}

In my case I use haproxy as my frontend, if I tell haproxy to unset that x-forward-for header and add its own (not trusting one that is already set), it secures my box right up:

root@myhost:~# curl --header “X-Forwarded-For: 10.0.0.1” https://my_public_url_goes_here/api/
401: Unauthorized

If you have access to an external linux box, I highly suggest you test that out to see if it works.

DavidFW1960 · June 27, 2018, 6:06am

interesting there’s a thread about this

DavidFW1960 · June 27, 2018, 6:09am

So I’m bemused… does this mean we should not use a trusted network (where the trusted network is our internal network) and the use_x_forwarded_for??? I don’t use the x_forwarded - only my internal network with Caddy (a reverse proxy)

The docs here https://www.home-assistant.io/components/http/ seem to say it maybe shouldn’t be used…

nickrout · June 27, 2018, 6:14am

Yes of course, but no one reads the docs.

DavidFW1960 · June 27, 2018, 6:16am

or maybe does not understand them fully. You’d think setting a trusted network would be an extra level of security and so is using a reverse proxy but using them both together seems a very bad idea!

khabi · June 27, 2018, 6:20am

Its totally possible to use them both at the same time if you take a little care. In haproxy you just need to set these two lines in your backend configuration:

reqidel ^X-Forwarded-For:.*
option forwardfor

In nginx I think all you need is:

proxy_set_header X-Forwarded-For $remote_addr;

I’ve never used caddy, so I’m not sure on that one. If someone doesn’t have access to an outside linux box to test it, i’m willing to test for them (you’ll just have to trust me that I won’t do anything :/) Of course don’t post your info here, but PM me it and I’ll take a look.

DavidFW1960 · June 27, 2018, 6:26am

This seems to indicate it’s handled anyway by default

github.com/caddyserver/caddy

proxy pass assistance

opened 10:42PM - 24 Nov 15 UTC

closed 05:04PM - 27 Nov 15 UTC

jungle-boogie

question

Hello, I have a simple nginx config as follows: ``` server { listen … 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://10.132.5.134:8080/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } ``` Can Caddy do something similar with the proxy setup as is?

What details would you need? I’ll play…

khabi · June 27, 2018, 6:28am

I just need to know what you have for trusted_networks, and the public url to your instance.

Tinkerer · June 27, 2018, 6:32am

Do you use a proxy server on your network?

DavidFW1960 · June 27, 2018, 6:48am

So @khabi has tested my network with and without the trusted network being set and Caddy and it seems secure.

khabi · June 27, 2018, 6:58am

If I get some time tomorrow I’ll try to make api endpoint people can hit to test their setup against known bad configs. I’ll toss the code for it up on gitlab/github as well so people can self host it if they want to test

digiblur · June 27, 2018, 12:14pm

The trusted networks part was my initial thought as well, I never used it myself as I do not trust anything and want the password prompt on my network no matter where the traffic comes from or it thinks it comes from.

jwelter · June 27, 2018, 12:20pm

Yes, haproxy. Haproxy is setup to only listen for SSL traffic on 8123; and acts as the SSL end point. It then proxies HomeAssistant port 8123.

RitteT · June 27, 2018, 12:37pm

What about the “Trusted Network”-theory above? Is that something you used?

lesonquan · June 27, 2018, 1:28pm

I’m using SMB addon @@
Maybe, I should stop using it @@

hadley1210 · June 27, 2018, 1:30pm

Can you check to see if you happen to have guest access turned on and if smb is exposed through your firewall? If so, it sounds like that may be the problem