VPN is useful but for say Google Assistant it’s not going to work (the component)
I’m really just questioning the paranoir regarding Samba username and password. If it’s not on an open port I’m not seeing the issue.
2 Likes
that’s what i thought
Well how did they get in? on which port? No username/password isn’t enough for outside intrusion.
thats what has me stumped
what ports in your router have you forwarded to HA
80 8123 443 and then some steam ports.i had ssl api password. lets encrypt - duckdns.
Just checked mine. Still has the password set.
Considering you are second person this happen to this week it seem like some nice guy is pointing out HA instances with security flaws to the owner
2 Likes
who else got done? it feels like it is someone on this forum doing it.
@Dominic I’ve worked my way through many of the ssl addons and methods and my favorite so far is the Caddy addon for its ease of use and configuration. It’s an Nginx-like webserver with a slightly simpler configuration. This particular addon uses a Caddyfile just like a traditional Caddy setup would.
This is the repo https://github.com/korylprince/hassio-caddy/tree/master/caddy
You can read more about Caddy here https://caddyserver.com/
Benefits:
- ssl for your HA domain and other addons or subdomains for your addons
- as with Nginx, everything comes through 443 (you could change that to something else too).
- no need to forward all those other ports in your router.
- easily proxy ports for other servers on your network (for me…ombi, plex, ubooquity, etc)
- it’s all ssl and handled by caddy, so you don’t configure the ssl settings and certificates in the individual addons.
- You get to use
http://local-ip:8123again wherever you want or need to use it, like node-red for example. Whereas with duckdns + le, everything has to usehttps://, and you get the cert warning business in the browsers…blech
Cons:
- I don’t know a whole lot about proxy-ing and there are probably other flags to be used to make things more secure.
This is the addon config:
{
"flags": [
"-agree",
"-email",
"[email protected]"
]
}
Here’s my caddyfile:
## home assistant
my-domain.com {
proxy / localhost:8123 {
websocket
transparent
}
}
## node-red on the pi3
node.my-domain.com {
proxy / localhost:1880 {
websocket
transparent
}
}
## configurator on the pi3
config.my-domain.com {
proxy / localhost:3218 {
websocket
transparent
}
}
## sonarr on another pc
sonarr.my-domain.com {
proxy / 192.168.1.201:8989 {
websocket
transparent
}
}
## ombi on another pc
ombi.my-domain.com {
proxy / 192.168.1.201:3579 {
websocket
transparent
}
}
It works great so far. None of these ports show as open when using a scanning tool online. I migrated from a pi3 to a VM with a different local ip and didn’t have to change a thing for Caddy.
If anyone has questions or things to teach me, hit me up here or in discord!
6 Likes
Just for the record, I DID have a Samba password set and at some point it got unset with everything (Samba) set to the defaults. I haven’t looked at the Samba add-on since setting it up originally and I have the password I used in my password store which is as good evidence as I can provide to show that it was once set.
I have in the past restored snapshots, both full and partial (config only). Could that be relevant?
I have no signs of being hacked or ‘intruded’ or whatever you want to call it and I have strong passwords on everything else (and Samba again now!).
It is worrying though.
1 Like
Every port that forwarded from router should be with password
^^^ this. I’d also add that not every port should be forwarded. I can see why you need to forward port 443 on your router, but I’m not sure why do you need to forward any other ports.
2 Likes
Well if you want to run terminal and configurator addons and I also don’t forward 443 - I forward 8123.
Funny thing as well… Mt Coffee Maker (connected to a Sonoff running Tasmota and controlled by MQTT in HA) turned on at 3am this morning and I thought I might have been hacked… But turns out my router automatically upgraded it’s firmware and restarted and after the restart for some reason the switch got triggered! The other switch (exactly the same) stayed off…
1 Like
What about MQTT?
Don’t you need a port open for that?
Well that depends on whether you need to access your mqtt server from outside your LAN.
Ah Ok, yes, I use Owntracks.
It works well for me but I’d rather not be using it simply because of the extra open port.
No because it’s running in a Hassio addon… I don’t access externally.
Not a hass.io pro here at all, only ran it a few times to see it on a spare Pi3. I have my own docker stack of various things going on my unRaid media server. I’m using Let’s Encrypt for a reverse proxy and you can only get into the HA app via 443. I don’t have 8123 forwarded outside nor do I have port 80 except for when I need to renew my cert for the challenge request on 80. Why do you need to forward 8123 when you can just pass it through the reverse proxy as intended?
I do wish we could do an alternative home path for HA instead of just root like many other apps though. It would add another piece to the puzzle for someone to figure out as they couldn’t just go to mycool.duckdns.org they would have to know to go to mycool.duckdns.org/SuperCOOLzHomeAutomation or something like that combined with some random user name and random password. It’s a little bit of security by obscurity but that last piece of the random user and password should stop things.