So you need to check your router configuration.
Another possibility is to put your system back online and write a message to the ‘hacker’. Pretty sure he will be back 
Your router may stop port scans. Some routers notice repeated scans on different ports and will stop responding or the shodan scanner up may be on a block list being used. I have mine setup this way and although I have a port open I’ve never shown up on Shodan. It’s amazing how many scanners hit my IP a day.
Did you have the add on to edit your files on the front end installed? Or did he get into your instance and install it?
Does your router have UPNP enabled? That can open and close ports at the request of a program.
was an apple airport extreme with nat pmp
Too many unknowns and maybes from original user to truly figure out what happened. Responses have too many maybe and possibly to trust and take action.
Only solution is to wait for whitehat to post what he found or wait for another occueance from other user.
My feeling is this is user error
I would like to see setting up nginx + fail2ban gear to HA logins on a VM. also home assistant running on a raspberry pi (not on the same machine as the reverse proxy.
@flamingm0e hit it right on the head. I do not have reverse proxies experience (nginx experience) or docker know how. I’m a sysadmin but not a sysdevops person.
I picked up HA when it was a AIO install and keep adding things to it when I have time. Then changed to hassio.
I’ve seen some guides out there but it always nginx running on the same machine as HA.
Well the hacker came back which was nice. he let me know that my system was nearly secure. it would be good if they made a throw away account and let others know how they a) got in and found the system and b) did what they needed to do so others can learnt from it.
How did he let you know this???
You really should start all from scratch. That includes network setup and server setup. It is concerning that after 1 week someone is able to login your system and leave messages.
meh doesn’t bother me its a fun game. and I am learning from it.
How were you contacted?
Also, Please post your actions taken to mitigate this so we may use to determine cause.
the “hacker” changed my group names in config. what I have done since the incident
a) changed lots of passwords and double checked all my two factor auths.
b) removed all port routes except 443 and 8123. turned off nat pmp etc.
c) updated all passwords in config and secrets.
d) turned off samba shares
1 Like
Airport extreme modded?
did you rebuild server or just make changes?
You cannot move forward unless:
1.reset router and start fresh there (verify latest firmware)
2. Rebuild server using No file copied from old
You Must assume possibility that person install hidden script that reopens any door you close. You also cannot trust any file from that machine. Your router is barely trustable but a factory reset is likely fine here.
Please let us know your plans for moving forward.
Is the Samba password configuration sorted in some sort of configuration storage external to the container? Because the container state is ephemeral; there is no persistent data inside a docker container when it restarts. This is why you see docker run commands with all this -v options to mount external directories inside the container to provide persistent storage.
This is why I don’t use HASSIO - because I don’t want to run an appliance that cannot be easily modified. Docker containers are all about reusable, immutable images. So if the container you happen to find somewhere on the Internet doesn’t do what you want it to do, it’s difficult to modify. And it seems like maybe the Docker containers provided as part of HASSIO don’t have strong authentication in mind for samba (in this case) and you need to implement security and access control measures elsewhere.
No it’s not. You just build off images that exist or make your own.
1 Like
Docker has its issues but this is not quite one of them.
This is actually a symptom of its ease. Many do not understand it capabilities/limitations
Make a dockerfile that builds the container to your specs.
You could almost literally take the HA Python install instructions and build “From Python” adding in whatever you want. This is actually better/more secure than using dockerhub image from RandomDeveloper in many cases.
Also, anyone posting about about Samba config changing. Occurs to me that should check your -v mounts for docker if this is using docker. possible you mistakenly did not mount the config file and it gets destroyed on restarts or rebuilds. I have mispelled volumes names in past and done this but not discover until rebuild server.
Yes, this is very true, but is hardly the typical use-case for someone using hass.io. I think targeted segment is “appliance” user, not software developer.
You were talking about random docker images from the internet, not hassio
Its a bit sad to see that the cause of this incident will likely remain unidentified.
It could have been a simple user configuration mistake, a bug in the Addon or something completly else. But since Dominic didn’t bother answering the questions, this is were it ends and the community / the project will not advance.
righto…im pretty sure i have answered all questions…what are you missing. or do you need a cuddle? @TFA
1 Like
how about these?