433 mhz switches cant get hacked. they can be switched on when you are in rech, but HA would never notice it.
my limitless hub is on my lan. but you need to get on my lan to access it before you can hack it.
same for my broadlink device.
I use the port 22 to get access via ssh to the rpi3…
…need to check accurately as soon as i get home.
OK, so none of your IoT-devices has internet access (Not speaking in terms of open ports )? Doesn’t mean that you specifically have opened ports for them but sometimes their system checks firmware,time etc and that doesn’t need any ports to be opnened. Just want to rule out that one of your devices got hacked, and thus they gout LAN-access.
It means you’ve an exposed SSH server.
If you’ve configured your SSH server to only accept keys, the risk is low. If however you allow password logins, or worse, allow root
to login with a password, then you’ve got a risk. Your config can be safely shared if you’re unsure.
thank you for the replay…
at this very moment I cannot share my config since I’m at work now.
But.
I tried to log to my IP with putty from my office pc (which is completly unrelated with my homeassitant setup), using root and my password and no luck.
When I do the same at home (from the Mac, logging in to rpi3 via terminal and ssh) it accepts my password.
Anyway, I set up ssh using hassio ssh add-on
Be aware that some offices block certain ports (22 is a common one) so a no response is not a closed port necessarily. Go to a Starbucks or similar and try.
GRC | ShieldsUP! — Internet Vulnerability Profiling
Alternatively, I know shields up does check port 22 (among others).
Hey silvrr,
the things that make me say the port is reachable from my office is that putty, once i enter my IP, it asks for a user name and a password…it means that putty establish a connection to my rpi3, isnt’it?
anyway i’ll try again using my phone hotspot.
it means it established a connection to SOMETHING on your network that is running SSH. Did you forward the port to SSH into your Pi?
don’t remember right now…
Yes, I should have read more closely.
As @flamingm0e said though, you connected to something, not necessarily your Pi. Without any portforwarding in place I would think it would be your router responding which is not ideal.
Login your router when home and verify UPnP disabled
Then verify port forwarding only things you want
Then verify router not allow ssh into it and maybe disable WAN login to router(I think you want this disabled)
I will also add, change the forwarded ports to some high number between 32K and 64K. Exposing 8123 says “hey I’m using HomeAssistant”. Exposing port 22 is equally bad. I would even think about changing the default OpenVPN ports. Using a high port number isn’t going to save from a very determined attacker but it will drastically cut down on the attempts.
ok thanks for the hints guys.
8123 is esposed but I’m using https certificate and duckdns (as described on HA documentation)
Did you also set a password? certificates don’t really do much for protection if there’s no password.
yes I did.
when connecting from home to the rpi3 it prompt me for the pswd
Certificates are meaningless if someone hammers your installation until it falls over and lets someone walk in. Change the port.
no open ports, no firmware updates (if there is even a firmware at all). no time updates.
the devices you are talking about can be as much hacked as your tv remote or your wall switch.
OK, I don’t know if your understaning me correctly. I’m not talking about IoT-devices or something connected to HASS. I’m talking about any device at all in your home that has internet access (beside computers and cellphones). Don’t you have any security camera at home? Even if it wasn’t a part of the devices that driggered during your hack or even connected to HASS.
For any interested party, I have created a custom sensor that will show you the latest IP that successfully connected to you webUI.
it will save all new IP adresses that succesfully connected to a yaml file in your config dir with some geo info, it will also present a persistant_notification
with the same info.
https://github.com/custom-components/sensor.authenticated
i have 4 foscam webcams.
they are on my lan, but to update that firmware i download it on my pc and upload it to the cam.
i dont own any other devices that have firmware that is updated or connected to the internet except original amazon stuff like echos.
if someone was able to hack the firmware on that, then 80% of the forum would be in big trouble.