I got hacked

the question is whar “open” means in your case.

in my router and cant “open” anything with an option like that.
i only have port forwarding and the forwarded ports are open, and others are not.

i suspect that “open” can also mean usable for port forwarding.

i guess you could check that by trying out your outside IP with a port that isnt forwarded and see what happens.

Yes I have seen a router where you need to open a port and then forward it (ie two steps), but it was able to be done individually per port.

Don’t know other meaning of “open” in this situation. Once more, port mapping is always on, but when ports are close - I cant access to domain.duckdns.org, when all open - I can.
Sorry, could you be more precise what should I try? Outside IP?
from outside of local network I don’t use IP with port, just domain. But in configuration file is a “base_url” and there is written a port. When I had wrong port, I got HA icon, but could not connect after writing password.

outside ip is the ip from your router. (so the IP you gave to duckdns.

so you could try in a browser
http://outside_ip:9934 and see what it gives you.

I Have to call to support to enable firewall changes, will try it later. Now all ports are closed and of course I get nothing by trying random port.

Unless there is a service listening on 9934 that’s pointless. It won’t do anything

So, did I get right the terminology?
I should get another router where I can open only one port?

Not really sure. I don’t read Russian. Sorry.

I would.

isnt that just the point?
if the port is “opened” but there is nothing there then you have an open door that goes to a brick wall.
i just wondered if “opening” all ports on the router would cause that the router does something with the ports that are not rerouted.
if not then i guess they are not “opened” but made available for routing.

This morning at 04:37 every device turned on, all lights full brightness which of course included the bedrooms!

I found that my system which is firewalled has a password and an SSL cert had been hacked, an entry in a config file had been changed to “STOP SHARING SMB SHARES!”.

I’d recently done a wipe and re-install of hassio as I wanted to start from scratch with a nice clean system and I carefully only added in the bits I needed. When I was researching the issue I found that the Samba add-in has guest : true, so even though I had set a username and password, this was pointless. The next part of the puzzle was that my Cisco router had UPNP enabled and was happily broadcasting my guest SMB access.

Of course I closed the ports and turned off guest access but as a test I clicked to reset to default which to my utter horror sets guest to true. I’d advise everyone to check this setting in their Hassio Samba plugin or remove it completely.

This one thing (Samba guest access by default) is almost tipping me over the edge to give up with HA.

I’m no network security expert but even I know that It is absolutely unbelievable that a system that wants to be taken seriously has this. I’m getting bored with saying so and starting to worry what other kindergarten security steps have been missed.

FIX IT NOW. Please.

Guest access in not the problem, opening ports is causing the problem. Although I agree it should be off by default.

So don’t use SMB? I mean, it always seems that the common factor in these reports is SMB…you DON’T HAVE TO use it.

@sjee, @flamingm0e

You are both right. No question. (Emphasis to remind you I said that when you’ve finished reading this ;-))
But my point is and has been for weeks, that HA needs to try to make it difficult to screw up.

Especially for those using, and attracted to HA by hassio on a Pi.

Have you looked at the front page of the HA website? Anyone landing there would, firstly believe hassio and Pi was the only option and secondly believe it was almost a consumer level product. My argument is not that HA must (necessarily) make itself secure for the man in the street but don’t ‘sell’ it to the man in the street if he is going to have very serious potential problems.

HA can’t have it both ways. It DOES have a responsibility commensurate with how it ‘sells’ itself.

:wink:

I have been saying this since they decided hassio should be front and center, and the confusion surrounding the differences between hassio and the other installation methods. Home Assistant needs better ‘marketing’ AND better security implementations.

Today, right now, this minute, they need to change the default in the Samba plugin so that guest access is not enabled by default. - As simple as that.

Pretty easy to not use SMB even on a Hass.io box I would think, use WinSCP or something maybe if you want a file browser type thing for uploading files?

Why anyone would have UPnP running is beyond me, yes I know its enabled by default on many home routers, but turn that junk off! That does raise the question of why the samba component uses UPnP by default, that’s odd and needs to be turned off in case anyone turns guest mode on.

I do know a LOT of ISPs on the residential side block inbound and even outbound SMB ports. They’ve been doing that for years as back in the day people would just plug in their desktop computer to their cable modem, this was before a router or even WiFi was a thing.

I first came across the idea of using Syncthing when I was testing HASSIO last year.

I always mention it, but I don’t think anyone knows what it is.

There is/was an addon for Syncthing that would point to your config directory.

You install syncthing on your desktop/laptop, and you can edit your files LOCALLY on your computer, and they will sync automatically over to hassio. It is as simple as restarting hassio when you are done editing your configs.

1 Like

That’s a friendly hacker there.

My setup is: UPNP disabled (it’s pure evil)

And the only port I have open on my router is one for OpenVPN which is hardened, uses 256 encryption, a non default port, strong cyphers and Google Authenticator for 2FA. (Would anyone like a guide on how to set this up?)

For someone to hack me they would need my 30 second rotated 2FA key, my cert password, my cert, my username and my password for that user.

I run open vpn at home because it not only allows me to get to HA but so I can securely browse the web on public Wi-Fi, and access my whole lan from anywhere in the world.

I think having a guide available would be beneficial. One for users who aren’t sure where to start and others (like me) who have done research to find the best way to secure everything to make sure they have setup their systems\environments up correctly.

1 Like