[SOLVED] Security: Why is HomeAssistant connecting massively to Microsoft 40.68.60.81?

f4stb00t · February 23, 2023, 9:07pm

Dear all,

I came over a realy strange behavior and I cannot pinpoint the root cause of the behavior.

Since December my HomeAssistant installation connects for more than 200k times to 40.68.60.81 over https(443).

Does anyone know where this comes from or how I can find more details why this happens?

Surely I can just drop this, but I would like to understand where this exactly comes from and why HomeAssistant does that. To be honest I am not the biggest fan of MS and furhermore I do not like unwanted ingress or egress connections.

It would be awesome if you guys could help to find where it comes from. And maybe check your traffic,too?

Here some details:

NetRange:       40.64.0.0 - 40.71.255.255
CIDR:           40.64.0.0/13
NetName:        MSFT
NetHandle:      NET-40-64-0-0-1
Parent:         NET40 (NET-40-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-02-23
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/40.64.0.0

############
22:01:56.895955 IP homeassistanthostname.45396 > 40.68.60.81.https: Flags [.], ack 43392, win 8, length 0
22:01:56.900548 IP homeassistanthostname.45396 > 40.68.60.81.https: Flags [F.], seq 2925, ack 43392, win 8, length 0
22:01:56.928812 IP 40.68.60.81.https > homeassistanthostname.45396: Flags [.], ack 2926, win 501, length 0

root@homeassistant:/home/username# ss -atp | grep "40.68.60.81"
ESTAB      0      0                                   10.111.111.111:50408                                       40.68.60.81:https                               users:(("hass",pid=27551,fd=54))

root@homeassistant:/home/username# ps aux | grep 27551
root     11354  0.0  0.0   6084   888 pts/2    S+   21:44   0:00 grep 27551
homeass+ 27551  1.8  5.0 2275624 402308 ?      Ssl  Feb18 147:04 /srv/homeassistant/bin/python3.10 /srv/homeassistant/bin/hass -c /home/homeassistant/.homeassistant

;; AUTHORITY SECTION:
60.68.40.in-addr.arpa.	900	IN	SOA	ns1-201.azure-dns.com. msnhst.microsoft.com. 1 900 300 604800 3600

WallyR · February 23, 2023, 10:01pm

Its a hosting server, so it could be many things.
Daimler (Mercedes-Benz) have some services there (bff-prod.risingstars.daimler.com) among others.

f4stb00t · February 23, 2023, 10:12pm

Ahhh… Okay then this makes sense. How did you do the reverse lookup? For me it did not work via "dig -x "

So problem solved then. Thanks a lot.

WallyR · February 23, 2023, 10:24pm

Google search on the IP and then look for other hits than Microsoft and then just a little reverse check to see if it was still true.

wmaker · February 24, 2023, 7:24pm

Hi, I am curious about this myself, and wanted to know what command/utility you used to determine HA connecting to MS? Thanks

WallyR · February 24, 2023, 9:42pm

Probably saw the connection in the firewall logs on the firewall and did a rdns lookup,which returned a microsoft.com domain.

f4stb00t · February 25, 2023, 11:38am

Hi,

surely I can tell.

There are several options how you can find this out. In this case I used my setup here.

Hardware Firewall (have many networks and all of them segregated/seperated. Like my iOT network)
SIEM in place for log collect and aggregation. (In my case, because it’s free: Graylog)
Setup allerts in Graylog

For investigation which process caused the traffic and to get more details

tcpdump host 40.68.60.81 (tshark works as well)
lsof -ni | egrep -i “40.68.60.81” (strace should work,too)
ss -atp | grep “40.68.60.81” (or netstat would work as well)
ps aux | grep 27551 (grepped for the pid to check which process, user etc…)
dig -x 40.68.60.81 (but it only showed up MS, as the PTR is not correctly set. The -x does a reverse lookup.

You might can also use auditd to get this information. The nice thing with Linux systems is that you have many many ways and many tools to achieve what you need.

Hope that helps a bit