I got hacked

tmjpugh · June 29, 2018, 1:14pm

I leave my car doors unlocked and keys nearby.
Not issue cause parked in private garage. Maybe not best because kids or someone may take car without ask. No big deal to me.

UPNP is someone I don’t know and did not authorize randomly open garage and wave flag saying come in and have a look to strangers. This is serious security problem.

HA should move to better default states, but problems currently caused by poor Network setups. I feel this more important(from User perspective) because not only affect HA user but even if not use HA and have other service or just surf web

EDIT
My focus is educate user so they prevent own problem.
HA can never stop all, but educated user will have best chance. Reading AND UNDERSTAND component doc would have prevent this vs I found this guide and set it up or I found code online and ran on my computer but now I hacked

Ambidexter · October 13, 2019, 6:43am

Hi,

It occurs to me that one way to help with hackers is to limit the attack surface. Use “http://whatsmyip.org” to find out your “outside” IP from home, from work, from your Mom’s house, etc. Do the same from your phone from various places.

You can limit these addresses to get to your outside firewall / router. That will cut down on most all of your issues. But, if you want to use your cell phone, from anywhere in the country, or even Europe, for example. You can check what IPs you’ll get in that country with your ISP of choice. Or, Google around, there are numerous (many automated) lists of blacklisted sites or countries.

You want to block any Chinese site from getting to your kit. Then you can do it. You may also consider a honey-pot…get a cheap Raspberry Pi. with no access to your network and put some junk on it, and leave it “outside” your firewall. Don’t mention Hass at all, just leave a few generic pictures, fake emails, etc.

The log from this pi could be viewed to see what IPs are attacking you. Then make sure you block those from your real Hass or firewall.

You might even be really sneaky…vary the port you use for Hass. every day it’s 8123 + the numeric day of the week. Although I use the duckdns method, and that’s a great, free certificate, no unencrpted stuff leaves my Hassio pi now!

-Ambi

firstof9 · October 13, 2019, 2:36pm

This would be ok but the whitelist would be as long as the blacklist and just as hard to maintain since providers like to swap their IPs around.

This is mostly solid advice, you’ll likely want to block any of your IP Cameras from accessing the internet as well, if possible.

ReneTode · October 13, 2019, 3:55pm

and how do i recoqnise a chinese site? or a korean, or a russian, or …?

Mutt · October 13, 2019, 4:18pm

Well you see … hackers NEVER spoof an IP, or route through a VPN, or anything like that.
What do you think they are ??? Criminals ?

Ambidexter · October 13, 2019, 5:23pm

No. I think that IP spoofing is useful to an attacker as a means for amplification of a DDoS attack. My little Pi’s not going to help them much.

I think that layers of defense and limiting the attack surface are useful. When I park downtown, I know to take my cell phone with me. I know where to park to limit my exposure.

That’s why I subscribe to a service from my hardware firewall’s vendor for antivirus, antispam, content filtering, web filtering, etc. It limits my exposure. I limit access to HA from only a few IP addresses. I know the networks my phone will use and allow those. I don’t use Wi-Fi at Starbucks to get to my HA.

The only exposure I have “on the internet” is my HA on a RPi with 256-bit encrypted SSL. And I don’t even use port 443. I even rate limit the incoming SSL traffic, to dissuade brute force attacks. And I keep an eye on my HA logs for interesting inbound logins.

I’ve got a friend who lives in one of the highest crime neighborhoods around, and he leaves the windows on his car open at night. On purpose. He’s telling everyone who wants to get something for nothing that he doesn’t have anything in the car they’d want. And yes, the car’s a 15-year-old Honda. The thieves pass his car and break the windows on the new BMW or Tesla with the $1,900 iPad on the seat. Or they go to the one with the windows open and the keys in it and drive away.

As a public service, I log into people’s little Belkin or Netgear Wi-Fi routers I find around and set the SSID to “PLEASE HACK ME” when they use the default (or no) login password.

So, for me, if someone wants to get into my HA setup, they’d need to be one of the several IPs I allow through my firewall. If they happened to be at my sister in-law’s house, they’d need to know the destination and port of my HA’s SSL service, and they’d need to be able to guess the user and password, as I generate 24-byte random passwords and store them in a password management service.

And even if they did that and were able to open my garage door, I’d get an alert on my phone, and would have live video of the cameras in and around the house. I’d push the panic button on my alarm system via HA, and the police would come.

When you work in network security, and you visit a friend’s house you always think “how would I break into his network? I wonder if he has any fun stuff in the garage!” It’s an occupational hazard!

Regards,

-Ambi

Ambidexter · October 13, 2019, 5:31pm

Sure you’re right. But there are whitelist services you can subscribe to. I usually do this for companies and the services tend to be at least some amount of money. They’re also available for particular firewall companies…perhaps most. Cisco, Juniper, Fortinet, Barracuda, Palo Alto, etc., etc.

I’d also suggest a separate firewall and Wi-Fi router in your house. Putting routing, firewall, and Wi-Fi in a single box is useful. But if attackers get into your setup, you’re totally hosed.

-Ambi

firstof9 · October 13, 2019, 5:53pm

ARIN database

firstof9 · October 13, 2019, 5:55pm

FYI this is something they can arrest you for and even toss some prison time on you for. You should stop doing this.

MithrasPan · October 13, 2019, 8:41pm

Without getting too much into the details- One of my previous projects was the target of a pretty legit DDoS attack and from that experience… this view isn’t exactly correct… all you need is a processor capable of making IP connection requests. It’s not the power, it’s the quantity.

Keep in mind- one of the largest botnets discovered thus far was running as a background process in a couple million IP cameras with… weak… firmware and no way to ‘push’ a firmware update.

Any ONE device\connection can be discovered, blocked, somehow mitigated… but when the attacks are coming… you can’t block a geographic region when they’re coming in globally.

(In my case, I got lucky… the ‘hacker’ (disgruntled ‘competitor’) got sloppy/greedy and used a large number of devices they had personal access to (university computer labs) which allowed me to leverage… in the end… I was able to take it up with the school directly…)

Point being… when it comes to DDoS… a device is a device is a device… you’re not after the processing power, you’re after the connection…

Ambidexter · October 14, 2019, 2:12am

Perhaps. And perhaps this is an apocryphal telling of composite characters. Who’s to say?

But thank you for your advice, I shall keep it in mind!

AndrewJ · October 18, 2019, 10:03am

Another here in favour of a guide, yes please!!