Security threat? "potential harmful query string"

First time I’ve ever come across this in my logs. I’ve tried googling the various bits and am not coming up with anything that makes sense.

Cause for concern? Don’t even know where to start here.

 WARNING (MainThread) [homeassistant.components.http.security_filter] Filtered a request with a potential harmful query string: /tiki-jsplugin.php?plugin=x&language=../../../../../../../../../../windows/win.ini


Someone found your HA URL and tried to hack it. Nothing to do. See Path traversal hack tentative


Interesting. I saw that thread but wasn’t sure if it was related, different url and all. Surprised it doesn’t seem to come up much. Thanks.

Found this identical warning in my logs too.

When (not if) the attackers figure out what an HA instance is, and discover vulnerabilities in it (and they will), the discovery of your remote URL will become more of a risk.
Right now, the obscure URL is providing “security through obscurity” (a false security), but once someone observes the URL your mobile is looking up (happens on coffee shop WiFi, hotels, airports…) then it goes on a list and the bots attempt to exploit it.
Right now, they seem to be testing for vulnerable WordPress plugins (there are many).
Someday they’ll probe for HA. And our logs won’t likely tell us when they succeed.

So, one short-term option could be for NabuCasa to offer a way to generate a new hashed URL for any accountholder who asks for it. The accountholder would have to nudge their installed mobile clients to observe the new URL, and it would buy a little more time before that one, also, gets discovered.

Longer-term, the best defense is a more-hardened, strongly filtered web acceptance layer. That’s going to cost more.

1 Like

This seems like it would actually be a very good idea and I can’t imagine it would be all that difficult or costly to implement. I’ve had to regenerate API’s for a couple of services I mistakenly posted the API key for on github before.

I subscribed for the 1-month free Nabu Casa Home Assistant Cloud service. Is there a direct correlation between NC Cloud and this warning:

Filtered a request with a potential harmful query string: /api/hassio_ingress

What is the best advice to do atm?

atm I would not take any action.
Probes have and always will occur. The key is whether or not they find anything to exploit.
I advise to keep watching the forum, and releases, for activity related to hardening against such probes. Oh, and keep your system updated.

Probes like this will only increase over time as bots (FKA script-kiddies) become attuned to the internals of HA and start looking for flaws.

So far, most of the alerts have had to do with WordPress (a vulnerable and popular target) but eventually someone will start poking at HA’s innards.

For the time being, I’ve used the home/away status in HA to disable the ‘remote UI’ of HA when we are both at home, so it’s just not there when a bot rolls by.

1 Like

Thank you for your detailed response. First time - since using HA - ever getting these disturbing logs. Keep you posted.

Thanks glyndon, for now I’ve decided to delete my Nabu Casa Cloud account as a whole.

Screenshot 2023-12-07 at 00.54.24

Sorry to see you chose that path, as a paid Nabu Casa subscription is how the project gets funding, and it is the best/safest way to expose your instance to the Internet and link with external services.
Do you need external access (either to your instance when you’re away, or between it and third parties like IFTTT, Google, Alexa, etc)?
If not, then having no NabuCasa account makes sense, but if you do, the alternatives methods of achieving it are typically much riskier.
There will always be hostile actors out there, and the kinds of probes we’re discussing here are relatively mild in comparison to many others. Don’t let them scare you. Rather, spend some time learning how they operate, and how to layer your defenses effectively.

1 Like

Goodday, of course I’m aware of the funding through NC Cloud accounts. I hooked up as I was having issues with my local Voice Assist for the ESP32-S3-BOX-3. Was troubleshooting it with access to NC Cloud. I solved my issues - getting it back to local VA - with the great help of @CChris in this thread

So the warnings I got, just after joining NC Cloud made me reconsider my test version of NC Cloud.