Because a good chunk of people around here don’t know what a reverse proxy is? Or how to configure one?
Containers
All services are microservices if you ignore most of their features.
Because a good chunk of people around here don’t know what a reverse proxy is? Or how to configure one?
Guess I should stop assuming the Let’sEncrypt container they are using comes with nginx and fail2ban? Spoiled by how easy this was to setup; Docker
If you think about it, most people that have issues around here are running hassio. They didn’t set anything up manually, and the trend I have noticed in this forum and on reddit, is that a lot of people using Home Assistant don’t come from an IT background or play in this space much. Docker is a buzzword to most, and if the instructions are not laid out very succinctly, or in video form, it’s not likely they will venture into the realm of straight up Docker, manual installation, or reverse proxies.
I don’t want anyone to think I am putting those people down, it’s just something I have noticed.
Can you tell me more about Caddy And Hassio.
Did you use it only in local network?
How you connect form world to local HA Server?
It’s a reverse proxy. You use the same domain you have setup already.
I would be interested in a thread about pentesting your hass instance. Probably more people would like to see this.
All the unsecure MQTT users out there is quite a face palm as well
If you think about it, most people that have issues around here are running hassio. They didn’t set anything up manually, and the trend I have noticed in this forum and on reddit, is that a lot of people using Home Assistant don’t come from an IT background or play in this space much
This is issue.
HASS.io I think was intended to make install easy.
By default it should be secure as easy invites persons who may not have IT understanding needed to properly secure or even know what secure is. Basically, it should Just Work or have super amazing instructions so easy even a caveman can do it!!
Else you will see many people doing very risky things like exposing HA without password since it is not password by default.
I noticed some failed login attempts over the past few days.
I’m using caddy as reverse proxy and to add TLS, and I’m seeing in my HA log only the IP of my caddy instance, not the origin IP. Does anyone know how to configure caddy to pass the origin IP through to HA rather than its own IP?
If you think about it, most people that have issues around here are running hassio. They didn’t set anything up manually, and the trend I have noticed in this forum and on reddit, is that a lot of people using Home Assistant don’t come from an IT background or play in this space much. Docker is a buzzword to most, and if the instructions are not laid out very succinctly, or in video form, it’s not likely they will venture into the realm of straight up Docker, manual installation, or reverse proxies.
I don’t want anyone to think I am putting those people down, it’s just something I have noticed.
I have seen the same. There definitely does need to be a thread on exposing HA to the outside world. It isn’t just this app though I see it all the time where people don’t understand the risks of the port forwarding page on their router then don’t get me started on UPNP that is usually turned on by default on home routers.
There definitely does need to be a thread on exposing HA to the outside world.
I think it needs to be something someone is forced to read while setting up their HA instance. Especially HASSIO
I think it needs to be something someone is forced to read while setting up their HA instance. Especially HASSIO
Maybe this too much. Like TOS
Anyway they ignore it just the same. Some entry level networking quick start guide
I hopped on Shodan tonight and was able to connect to a number of different MQTT servers running alongside HASS. One of them even had all his security sensors running through it. I could have had a field day triggering his stuff if I had a mind to.
Who are you referring to?
I still can’t really understand was has happend here.
The message from the ‘friendly’ hacker mentioned open SMB shares and you confirmend that (for whatever reason) no SMB password was configured.
But there was no port forwarding for the corresponding ports. I remember that there was once a ISP in Germany that hadn’t filtered multicast packets like the netbios anouncments and basically built a giant LAN to all of there customers.
Is this something that could have happend here? Because otherwise I don’t see how the SMB shares were accessible?
BTW as I see this in the forum very often: SSL does nothing in terms of system security. It is only for transport security.
Enabling SSL does not make your home assistant installation more secure.
There is a scary number of open MQTT and SMB shares when you search “home assistant”
Just had a read through this post.
I have spent many a night going through the results on Shodan for Home Assistant.
https://www.shodan.io/search?query=homeassistant
The amount of people who have SMB enabled, but Guest access and no authentication.
Looking at them, I honestly can’t beleive that this is a “all the settings just magically reset” scenario.
I’ve contacted a few of the people (most of them end up having an email address in their config somewhere!) and letting them know. The craziest one was a guy that was about 5 miles from my house - (latitude and longitude were in the configuration.yaml lol)
The question here is how SMB traverses their router.
Surely it’s necessary to expose specific port (445?)/port range, right?
Basically everyone should check their IP on shodan
https://www.shodan.io/host/<IP>
(need to register)