80 8123 443 and then some steam ports.i had ssl api password. lets encrypt - duckdns.
Just checked mine. Still has the password set.
Considering you are second person this happen to this week it seem like some nice guy is pointing out HA instances with security flaws to the owner
who else got done? it feels like it is someone on this forum doing it.
@Dominic I’ve worked my way through many of the ssl addons and methods and my favorite so far is the Caddy addon for its ease of use and configuration. It’s an Nginx-like webserver with a slightly simpler configuration. This particular addon uses a Caddyfile just like a traditional Caddy setup would.
This is the repo https://github.com/korylprince/hassio-caddy/tree/master/caddy
You can read more about Caddy here https://caddyserver.com/
Benefits:
- ssl for your HA domain and other addons or subdomains for your addons
- as with Nginx, everything comes through 443 (you could change that to something else too).
- no need to forward all those other ports in your router.
- easily proxy ports for other servers on your network (for me…ombi, plex, ubooquity, etc)
- it’s all ssl and handled by caddy, so you don’t configure the ssl settings and certificates in the individual addons.
- You get to use
http://local-ip:8123
again wherever you want or need to use it, like node-red for example. Whereas with duckdns + le, everything has to usehttps://
, and you get the cert warning business in the browsers…blech
Cons:
- I don’t know a whole lot about proxy-ing and there are probably other flags to be used to make things more secure.
This is the addon config:
{
"flags": [
"-agree",
"-email",
"[email protected]"
]
}
Here’s my caddyfile:
## home assistant
my-domain.com {
proxy / localhost:8123 {
websocket
transparent
}
}
## node-red on the pi3
node.my-domain.com {
proxy / localhost:1880 {
websocket
transparent
}
}
## configurator on the pi3
config.my-domain.com {
proxy / localhost:3218 {
websocket
transparent
}
}
## sonarr on another pc
sonarr.my-domain.com {
proxy / 192.168.1.201:8989 {
websocket
transparent
}
}
## ombi on another pc
ombi.my-domain.com {
proxy / 192.168.1.201:3579 {
websocket
transparent
}
}
It works great so far. None of these ports show as open when using a scanning tool online. I migrated from a pi3 to a VM with a different local ip and didn’t have to change a thing for Caddy.
If anyone has questions or things to teach me, hit me up here or in discord!
Just for the record, I DID have a Samba password set and at some point it got unset with everything (Samba) set to the defaults. I haven’t looked at the Samba add-on since setting it up originally and I have the password I used in my password store which is as good evidence as I can provide to show that it was once set.
I have in the past restored snapshots, both full and partial (config only). Could that be relevant?
I have no signs of being hacked or ‘intruded’ or whatever you want to call it and I have strong passwords on everything else (and Samba again now!).
It is worrying though.
Every port that forwarded from router should be with password
^^^ this. I’d also add that not every port should be forwarded. I can see why you need to forward port 443 on your router, but I’m not sure why do you need to forward any other ports.
Well if you want to run terminal and configurator addons and I also don’t forward 443 - I forward 8123.
Funny thing as well… Mt Coffee Maker (connected to a Sonoff running Tasmota and controlled by MQTT in HA) turned on at 3am this morning and I thought I might have been hacked… But turns out my router automatically upgraded it’s firmware and restarted and after the restart for some reason the switch got triggered! The other switch (exactly the same) stayed off…
What about MQTT?
Don’t you need a port open for that?
Well that depends on whether you need to access your mqtt server from outside your LAN.
Ah Ok, yes, I use Owntracks.
It works well for me but I’d rather not be using it simply because of the extra open port.
No because it’s running in a Hassio addon… I don’t access externally.
Not a hass.io pro here at all, only ran it a few times to see it on a spare Pi3. I have my own docker stack of various things going on my unRaid media server. I’m using Let’s Encrypt for a reverse proxy and you can only get into the HA app via 443. I don’t have 8123 forwarded outside nor do I have port 80 except for when I need to renew my cert for the challenge request on 80. Why do you need to forward 8123 when you can just pass it through the reverse proxy as intended?
I do wish we could do an alternative home path for HA instead of just root like many other apps though. It would add another piece to the puzzle for someone to figure out as they couldn’t just go to mycool.duckdns.org they would have to know to go to mycool.duckdns.org/SuperCOOLzHomeAutomation or something like that combined with some random user name and random password. It’s a little bit of security by obscurity but that last piece of the random user and password should stop things.
Because a good chunk of people around here don’t know what a reverse proxy is? Or how to configure one?
Guess I should stop assuming the Let’sEncrypt container they are using comes with nginx and fail2ban? Spoiled by how easy this was to setup; Docker
If you think about it, most people that have issues around here are running hassio. They didn’t set anything up manually, and the trend I have noticed in this forum and on reddit, is that a lot of people using Home Assistant don’t come from an IT background or play in this space much. Docker is a buzzword to most, and if the instructions are not laid out very succinctly, or in video form, it’s not likely they will venture into the realm of straight up Docker, manual installation, or reverse proxies.
I don’t want anyone to think I am putting those people down, it’s just something I have noticed.
Can you tell me more about Caddy And Hassio.
Did you use it only in local network?
How you connect form world to local HA Server?
It’s a reverse proxy. You use the same domain you have setup already.