For two days now, I have been getting the notification like below saying that there has been an invalid authentication from the Local host IP 127.0.0.1. I am running my HA on a Rasberry PI, and do use Nabu Casa. The time stamps for these seem to happen in the middle of the night and none of my PC’s are on-line during these times, so don’t think it happening from on of my local network computers. If I am compromised, I’m not sure the best way to fix it. Does anyone have some guidance?
[homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: ‘/api/config’. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/91.0.4472.124)
[homeassistant.components.http.security_filter] Filtered a potential harmful request to: /proc/self/environ
That’s someone (bot, crawler, script kiddie) scanning public URLs for known vulnerabilities in other services. /proc/self/environ is a Linux exploit path that leaks environment variables (and sometimes credentials) on vulnerable setups. It doesn’t exist as a route in HA, so the request just fails. Basically like going through a street and checking car doors to see if any are unlocked.
This is common to see and you just happen to be the address out of thousands of others that this is crawling through probably.
As this is coming through Nabu Casa access, the incoming address isn’t known and it appears as the loopback address 127.0.0.1
If you had ip_bans enabled this would eventually result in a 403 forbidden response when the number of tries is met which would block 127.0.0.1 and then you’d be locked out of using the remote URL until that was cleared. The cloud team is working on passing through the actual connecting IP address but as everything is end-to-end encrypted it’s not so simple. Hopefully soon!
You could instead enable MFA for your user account for extra security, but this bot is just going to continue to fail to find this path and move on eventually.
Giggles. Invoking MFA on 127.0.0.1 is quickly going to seize things up!
As for external compromise, what do you have that is exposed to the outside world other than NabuCasa?
The entry recorded is for an unsuccessful attempt. The ones you should be more worried about are the successful ones.
Watching a live firewall log may shock you. The baddies out on the internetz are relentless. The fact the filter picked it up and reported it means there is the ability to recognise it as having bad intent, maybe something NabuCasa might be able to filter at their end, leading to a smaller attack window for their users and less log entries being recorded.
From experience of fixing customers systems, unless you are being targeted by state actors (yes they are viciously active especially in the current world militant situation), most of these scans are by unsophisticated skript kiddies wannabe hackers, university researchers and their students looking for low hanging fruit. If your system is misconfigured, you stand a higher chance of vandalism rather than subtle infiltration. Small comfort, but similar to leaving your car unlocked on a Saturday night downtown. Your belongings will be ruffled through, anything of value taken, and then maybe they will torch your car or take it for a joy ride and dump it, just for the lulz. A state actor will plant tracking devices, carefully close the doors and leave, with you none the wiser. Both are undesirable, and if it happens to you, leaving you with an experience like being anally raped.
Having your inbound traffic anonymised by NabuCasa places a larger responsibility on them to filter undesirable traffic. Be sure to continue to work with their tech support to identify and close any opportunities for attack.
Like Clifford Stoll in his book “The Cuckoo’s Egg”, identifying who is fiddling on your system should be relentlessly persued, and if within your remit, “exterminated with extreme prejudice”.
Wouldn’t it be embarrassing if it was actually Claude rummaging around?