Havent been able to read the whole thread so sorry if this is redundent.
Rene, Im sorry to hear about that, your good people.
Do you use vlans? I have a vlan seperate that includes all my iot and ha stuff, that way if i am hacked they can only play with that crap. but I still have no issues accessing it from my lan.
I also use tasker so as soon as my phone drops off my home wifi it connects via openvpn. I still have full access to everything without having to expose any thing. My openvpn requires a certificate…there are only two certs, one for my phone and one for my macbook.
thx. i created a VPN and have my phone in it now. i lose some flexibility but i dont need that a lot (only when i go on holiday or so, which is about once in 2 years )
When it comes to network security, an ounce of paranoia is never a bad thing.
In other words, I would first try OpenVPN and have it connect to your home network before I open up Home Assistant with Let’s Encrypt as a last resort with password authentication. Use a password manager to generate a very strong password if possible. But I still won’t open up Home Assistant even with strong password and TLS. That’s where an ounce of paranoia comes in.
How do you feel about using port knocking as additional layer of security? I know anyone on the same network can eavesdrop on your combination, but it makes it harder for anyone else to even know what services you are running.
@ReneTode - seems to me that if you were hacked (I’m ok with assumption that you were for now, although wouldn’t go as far as 100% - maybe 99% ) - but the choke point is nginx, so you’re certain you’ve thoroughly been through the logs? Other users have said it will absolutely log all activity. Could this actually be a z-wave/HA glitch in your case? Not Keith’s given the TTS message of course - but his system was actually open, vs. yours.
Reason for my interest in this thread is that I’m new to HA, just experimenting with it in prep for moving in to my house when it’s finished being re-built… I was planning on exposing HA to the internet so I can control things via my phone, turn on driveway lights / open garage door as I get home etc. I’m more familiar with haproxy than I am nginx and don’t really want to go down the VPN path (not so smooth on iOS!).
Would be awesome to get to a root cause here…
Safe safe folks…
(if I can’t get comfortable with HA, I may revert to exploring openHAB)
i know i have tried to change the way nginx is logging in the past, because i wanted an easier way to read it after a few days.
but because i have to little knowledge from nginx i didnt succeed. i might have broken the logging in the process. i am trying to find that out now in the hope to find more info.
because of the delays between the actions and the type of actions i am 100% sure this cant be a HA glitch and i dont have zwave
i would love it to have more evidence of what happened.
today i did read through my router logs again. but to bad nothing of that kind gets recorded there either.
but it did show me that no strange devices were logged on. so it wasnt a lan/wifi breach.
so i am back to checking in nginx why there is nothing.
untill now i am the only one without open ports or other config failures. and i use HA for very long now and i am pretty dedicated to it. so its important for me too.
I am also wondering if i didnt somehow revealed my pasword when i shared stuff on the forum, but i have always been very carefull with that.
…I assume your password was suitably “complex”? There was a question about brute-force, but this again, this would appear in logs per request - unless the password hash could be retrieved.
So, if we work on the assumption they had your password, where does HA store the password hash? Of course, I’m assuming it IS encrypted - if so, with what algorithm - or is it plain text in a file???
it wasnt an easy to guess pw but it wasnt as complex as it should have been.
i have no idea where HA stores the password in any other way then in the config
and i have history set to off, so there is probably nothing logged at any place at all.
yeah, taking “guess” out of the equation, was it dictionary based? Or likely a common password?
I used hashcat a few months ago to smash an Excel password based on a downloaded dictionary of passwords - took 2 mins on a laptop PC for a password that was a word (actually a surname) with numeric replacements.
So question remains - is HA’s password file exposed somehow…?
it was based on the first characters from a short sentence with capitals and numbers.
nothing common and nothing you would guess.
but no special characters and no not capital characters so not complicated enough.
@ReneTode
Have you ever stored your API password on a service like IFTT or Stringify for WebHooks/Maker?? It could be possible that those services were compromised? Have you backed up your config to dropbox, onedrive etc?
Do you use common passwords for all your online accounts or different passwords for different accounts?
Drop your email address in here to see if you have ever been the victim of a data breach:https://haveibeenpwned.com/
Just been digging though Shodan a bit - it’s quite scary how many people there are out there with HA installations sitting on the internet without even a password in place
I actually felt guilty being able clicking on the links and seeing them open. Luckily, I’m not the sort of person to abuse this - if people are reading this - please check your external IP address via your mapped ports and make sure you aren’t leaving you HA setup open to the world to do damage.
(Worse still, many have samba open with their homeassistant directory visible which is a very basic search to do also!)
@BrendanMoran i never used IFTT or stringify. i dont use cloudstorage in any way
i use different passwords for every different account.
i also use different email accounts for every online account.
@RitteT i use a lot of different things. the devices that were switched on were:
lights on old style 433 mhz switches (custom component)
limitless led lights
broadlink rm pro switches