I got hacked

Robbrad · June 28, 2018, 4:31pm

The 2FA etc is only when accessing remotely via open vpn. Locally it just works like your on the LAN

How much stuff do you do remotely? Or off-site

flamingm0e · June 28, 2018, 4:34pm

It was an add-on in hassio when I tried it last year.

klogg · June 28, 2018, 4:37pm

Ah, ok.
But I just looked and I can’t see it on the official list of add-ons of the community add-ons.

It must have been pulled. Which is a shame.
Thanks anyway.

flamingm0e · June 28, 2018, 4:38pm

I’m pretty sure you can add repos

klogg · June 28, 2018, 4:45pm

Yes, but how would you find out which one to add??

RitteT · June 28, 2018, 4:46pm

I love that you use 2fa and VPN, I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.
This is what I’ve settled for:

Access something via VPN, eg. VNC, SSH and other services (OpenVPN 2FA + fail2ban)
Access SSH externally (SSH 2FA + fail2ban + privateKey w. long passphrase, dissabled password)
Access a webapp externally (Reverse proxy + 2FA + the apps login + fail2ban)
Access something via LAN: no VPN or 2FA.

This provides for me, a level where I can use my services comfortably but securly. A couple of users have contacted me regarding setting up 2FA, you’re more than welcome to set up a guide that I can point at.

Robbrad · June 28, 2018, 4:58pm

I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.

How do you access HA remotely then?

When I access HA on LAN I have no auth, just need to be on my trusted device Wi-Fi, when I’m out and about and I want to get into HA I VPN in.

I find my remote activity on HA doesn’t have to be so seamless as local activity, so I can sacrifice a bit of usability from a connection stand point, also once connected I’m connected, no need to re auth, unless my phone screen locks.

RitteT · June 28, 2018, 5:06pm

Cloudflare + nginx reverse proxy w. Letsencrypt + 2FA + fail2ban on top of hass usual password is what I rely on for hass. This way the 2FA is stored in a cookie, I use the bitly oauth_proxy and you don’t have to enter the 2FA every time you enter hass (from a known device) due to the cookie.

I use the iOS app, and some type of notifications require external access otherwise I’d need vpn on all the time (which kills the battery on my phone).

Robbrad · June 28, 2018, 5:11pm

That sounds cool, how many ports are open in your router to achieve that setup?

RitteT · June 28, 2018, 5:14pm

Nginx SSL
OpenVPN admin portal (2FA, may disable this)
OpenVPN
SSH (But as I said, this is secured according to this post)

So 4, but I may reduce it to 3. Since all ports needs 2FA and additional security, I’m comfortable with having 3. I used to run VPN for everything and only had 1 before.

Robbrad · June 28, 2018, 5:23pm

That’s where I get hung up, appreciate the 2FA and f2b etc is all running, but I don’t want too expose to many services to the World, and the fact I must have a certificate to get in is a big plus for me, but then that’s what works for me. I think it’s a shame notifications rely on being ‘local’ to the server. Be nice if this was an external push service. (Key secured )

I don’t have f2b running on my vpn - nice suggestion

Maybe we should collate all these options in a single guide, I could do the open vpn one to death, but apart from in work I haven’t setup a reverse proxy at home.

RitteT · June 28, 2018, 5:31pm

Everybody should only use as much security as they are comfortable with. I may be using your setup too in the future.

bucksbass · June 28, 2018, 7:18pm

50/50 The current setup passes the WAF, adding more complexity doesn’t help

bucksbass · June 28, 2018, 7:31pm

Some nice security ideas here but let’s not lose sight of the fact that there is a component in hassio which out of the box is insecure and the fix is insanely easy - turn off guest access

danielperna84 · June 28, 2018, 7:35pm

There has been an update almost a day ago: https://github.com/home-assistant/hassio-addons/commit/072498cd84f7b576269f2c4399b92f796b7135aa
By default access is now only allowed from RFC 1918 networks. That way enabled guest access isn’t such a big problem anymore.

NotoriousBDG · June 28, 2018, 7:36pm

Guest should default to false once the pull request below is merged…

tmjpugh · June 28, 2018, 8:13pm

Actual issue is UPNP that opened the port.
Guest:true is secondary after that.

Or was their someone with this issue that did not have UPNP enabled?

I say this only because if UPNP still enabled this will likely cause user further issues. Also likely that not upgrade router firmware since many router have update that turn UPNP off I thought?

bucksbass · June 28, 2018, 8:26pm

Allow hosts was in my config, it’s there by default it still didn’t stop this guy getting in.

bucksbass · June 28, 2018, 8:34pm

Yes UPnP opened the port but that would not have been a problem if guest wasn’t enabled. This is the out of the box config:

{
“workgroup”: “WORKGROUP”,
“name”: “hassio”,
“guest”: true,
“map”: {
“config”: true,
“addons”: true,
“ssl”: false,
“share”: true,
“backup”: true
},
“username”: “”,
“password”: “”,
“interface”: “”,
“allow_hosts”: [
“10.0.0.0/8”,
“172.16.0.0/12”,
“192.168.0.0/16”
]
}

Hassio is bound to be installed in a lot of home environments and a lot of home environments have UPnP enabled routers. If too many installs get hacked because of this flaw, HA will get a reputation as an insecure system.

bucksbass · June 28, 2018, 8:35pm

FYI

Hi @cogneato,

It seems you haven’t yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!