I got hacked

flamingm0e · May 24, 2018, 12:11pm

Because a good chunk of people around here don’t know what a reverse proxy is? Or how to configure one?

digiblur · May 24, 2018, 12:27pm

Guess I should stop assuming the Let’sEncrypt container they are using comes with nginx and fail2ban? Spoiled by how easy this was to setup; Docker

flamingm0e · May 24, 2018, 12:33pm

If you think about it, most people that have issues around here are running hassio. They didn’t set anything up manually, and the trend I have noticed in this forum and on reddit, is that a lot of people using Home Assistant don’t come from an IT background or play in this space much. Docker is a buzzword to most, and if the instructions are not laid out very succinctly, or in video form, it’s not likely they will venture into the realm of straight up Docker, manual installation, or reverse proxies.

I don’t want anyone to think I am putting those people down, it’s just something I have noticed.

MrEd · May 24, 2018, 2:07pm

Can you tell me more about Caddy And Hassio.
Did you use it only in local network?
How you connect form world to local HA Server?

cogneato · May 24, 2018, 2:23pm

It’s a reverse proxy. You use the same domain you have setup already.

sjofel · May 24, 2018, 2:24pm

I would be interested in a thread about pentesting your hass instance. Probably more people would like to see this.

firstof9 · May 24, 2018, 3:17pm

All the unsecure MQTT users out there is quite a face palm as well

tmjpugh · May 24, 2018, 7:29pm

This is issue.

HASS.io I think was intended to make install easy.
By default it should be secure as easy invites persons who may not have IT understanding needed to properly secure or even know what secure is. Basically, it should Just Work or have super amazing instructions so easy even a caveman can do it!!

Else you will see many people doing very risky things like exposing HA without password since it is not password by default.

nickrout · May 24, 2018, 7:57pm

hijinx · May 24, 2018, 9:19pm

I noticed some failed login attempts over the past few days.
I’m using caddy as reverse proxy and to add TLS, and I’m seeing in my HA log only the IP of my caddy instance, not the origin IP. Does anyone know how to configure caddy to pass the origin IP through to HA rather than its own IP?

digiblur · May 25, 2018, 12:31am

I have seen the same. There definitely does need to be a thread on exposing HA to the outside world. It isn’t just this app though I see it all the time where people don’t understand the risks of the port forwarding page on their router then don’t get me started on UPNP that is usually turned on by default on home routers.

flamingm0e · May 25, 2018, 12:35am

I think it needs to be something someone is forced to read while setting up their HA instance. Especially HASSIO

tmjpugh · May 25, 2018, 12:58am

Maybe this too much. Like TOS
Anyway they ignore it just the same. Some entry level networking quick start guide

atomicpapa · May 25, 2018, 5:18am

I hopped on Shodan tonight and was able to connect to a number of different MQTT servers running alongside HASS. One of them even had all his security sensors running through it. I could have had a field day triggering his stuff if I had a mind to.

nickrout · May 25, 2018, 5:19am

Who are you referring to?

atomicpapa · May 25, 2018, 5:20am

@nickrout No clue whose it was. It was just an IP.

TFA · May 25, 2018, 8:03am

I still can’t really understand was has happend here.
The message from the ‘friendly’ hacker mentioned open SMB shares and you confirmend that (for whatever reason) no SMB password was configured.
But there was no port forwarding for the corresponding ports. I remember that there was once a ISP in Germany that hadn’t filtered multicast packets like the netbios anouncments and basically built a giant LAN to all of there customers.

Is this something that could have happend here? Because otherwise I don’t see how the SMB shares were accessible?

BTW as I see this in the forum very often: SSL does nothing in terms of system security. It is only for transport security.

Enabling SSL does not make your home assistant installation more secure.

hijinx · May 25, 2018, 8:09am

There is a scary number of open MQTT and SMB shares when you search “home assistant”

HarmlessSaucer · May 25, 2018, 8:10am

Just had a read through this post.
I have spent many a night going through the results on Shodan for Home Assistant.
https://www.shodan.io/search?query=homeassistant

The amount of people who have SMB enabled, but Guest access and no authentication.
Looking at them, I honestly can’t beleive that this is a “all the settings just magically reset” scenario.

I’ve contacted a few of the people (most of them end up having an email address in their config somewhere!) and letting them know. The craziest one was a guy that was about 5 miles from my house - (latitude and longitude were in the configuration.yaml lol)

hijinx · May 25, 2018, 8:23am

The question here is how SMB traverses their router.
Surely it’s necessary to expose specific port (445?)/port range, right?

Basically everyone should check their IP on shodan
https://www.shodan.io/host/<IP>
(need to register)