I thought i was hacked. but ended up with a topic full of usefull information

Havent been able to read the whole thread so sorry if this is redundent.

Rene, Im sorry to hear about that, your good people.

Do you use vlans? I have a vlan seperate that includes all my iot and ha stuff, that way if i am hacked they can only play with that crap. but I still have no issues accessing it from my lan.

I also use tasker so as soon as my phone drops off my home wifi it connects via openvpn. I still have full access to everything without having to expose any thing. My openvpn requires a certificate…there are only two certs, one for my phone and one for my macbook.

stay safe buddy

1 Like

thx. i created a VPN and have my phone in it now. i lose some flexibility but i dont need that a lot (only when i go on holiday or so, which is about once in 2 years :wink: )

When it comes to network security, an ounce of paranoia is never a bad thing.

In other words, I would first try OpenVPN and have it connect to your home network before I open up Home Assistant with Let’s Encrypt as a last resort with password authentication. Use a password manager to generate a very strong password if possible. But I still won’t open up Home Assistant even with strong password and TLS. That’s where an ounce of paranoia comes in.

How do you feel about using port knocking as additional layer of security? I know anyone on the same network can eavesdrop on your combination, but it makes it harder for anyone else to even know what services you are running.

@ReneTode - seems to me that if you were hacked (I’m ok with assumption that you were for now, although wouldn’t go as far as 100% - maybe 99% :wink:) - but the choke point is nginx, so you’re certain you’ve thoroughly been through the logs? Other users have said it will absolutely log all activity. Could this actually be a z-wave/HA glitch in your case? Not Keith’s given the TTS message of course - but his system was actually open, vs. yours.

Reason for my interest in this thread is that I’m new to HA, just experimenting with it in prep for moving in to my house when it’s finished being re-built… I was planning on exposing HA to the internet so I can control things via my phone, turn on driveway lights / open garage door as I get home etc. I’m more familiar with haproxy than I am nginx and don’t really want to go down the VPN path (not so smooth on iOS!).

Would be awesome to get to a root cause here…

Safe safe folks…
(if I can’t get comfortable with HA, I may revert to exploring openHAB)

i know i have tried to change the way nginx is logging in the past, because i wanted an easier way to read it after a few days.
but because i have to little knowledge from nginx i didnt succeed. i might have broken the logging in the process. i am trying to find that out now in the hope to find more info.

because of the delays between the actions and the type of actions i am 100% sure this cant be a HA glitch and i dont have zwave :wink:

i would love it to have more evidence of what happened.
today i did read through my router logs again. but to bad nothing of that kind gets recorded there either.
but it did show me that no strange devices were logged on. so it wasnt a lan/wifi breach.
so i am back to checking in nginx why there is nothing.

untill now i am the only one without open ports or other config failures. and i use HA for very long now and i am pretty dedicated to it. so its important for me too.

I am also wondering if i didnt somehow revealed my pasword when i shared stuff on the forum, but i have always been very carefull with that.

…I assume your password was suitably “complex”? There was a question about brute-force, but this again, this would appear in logs per request - unless the password hash could be retrieved.

So, if we work on the assumption they had your password, where does HA store the password hash? Of course, I’m assuming it IS encrypted - if so, with what algorithm - or is it plain text in a file???

it wasnt an easy to guess pw but it wasnt as complex as it should have been.

i have no idea where HA stores the password in any other way then in the config
and i have history set to off, so there is probably nothing logged at any place at all.

yeah, taking “guess” out of the equation, was it dictionary based? Or likely a common password?

I used hashcat a few months ago to smash an Excel password based on a downloaded dictionary of passwords - took 2 mins on a laptop PC for a password that was a word (actually a surname) with numeric replacements.

So question remains - is HA’s password file exposed somehow…?

it was based on the first characters from a short sentence with capitals and numbers.
nothing common and nothing you would guess.
but no special characters and no not capital characters so not complicated enough.

GitHub repo? Exposed config?

…more like, is it possible to “hack” a HA instance to get the password? Especially when configured per Rene’s system.

If someone uploads their config to github with their pw file in, then at least we’d know the source instead of looking for a weakness in HA itself.

@ReneTode
Have you ever stored your API password on a service like IFTT or Stringify for WebHooks/Maker?? It could be possible that those services were compromised? Have you backed up your config to dropbox, onedrive etc?

Do you use common passwords for all your online accounts or different passwords for different accounts?

Drop your email address in here to see if you have ever been the victim of a data breach:https://haveibeenpwned.com/

What kind of IoT devices do you use Renee?

Just been digging though Shodan a bit - it’s quite scary how many people there are out there with HA installations sitting on the internet without even a password in place

I actually felt guilty being able clicking on the links and seeing them open. Luckily, I’m not the sort of person to abuse this - if people are reading this - please check your external IP address via your mapped ports and make sure you aren’t leaving you HA setup open to the world to do damage.

(Worse still, many have samba open with their homeassistant directory visible which is a very basic search to do also!) :open_mouth:

2 Likes

Great. Free passwords and API keys. :man_facepalming:

@BrendanMoran i never used IFTT or stringify. i dont use cloudstorage in any way
i use different passwords for every different account.
i also use different email accounts for every online account.

@RitteT i use a lot of different things. the devices that were switched on were:
lights on old style 433 mhz switches (custom component)
limitless led lights
broadlink rm pro switches

hello everybody, very nteresting discussion.

I’m a total noob about security. and I have question.
I have just serched for my public ip on shodan, and it shows this data:

22
tcp
ssh
OpenSSHVersion: 4.2

SSH-1.99-OpenSSH_4.2
Key type: ssh-rsa
Key: *******************************************[deleted by me now]
Fingerprint:[deleted by me now]

Kex Algorithms:
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1

Server Host Key Algorithms:
ssh-rsa
ssh-dss

Encryption Algorithms:
aes128-cbc
3des-cbc
blowfish-cbc
cast128-cbc
arcfour128
arcfour256
arcfour
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr

MAC Algorithms:
hmac-md5
hmac-sha1
hmac-ripemd160
[email protected]
hmac-sha1-96
hmac-md5-96

Compression Algorithms:
none
[email protected]

what does this mean? is it a security issue? how can I solve it?

@ReneTode is it possible that any of your IoT-devices got hacked and they got lan-access?

That’s why it’s important using vlans.

Not sure but look like ssh port 22 is on internet.
Not sure what device that is but am sure you probably don’t want that.

Didn’t look beyond that

Make sure UPnP not ON on your router and don’t forward port 22.