Hi Guys-

I have home assistant setup as a VM on my unraid server. Has been working flawlessly for a year w/remote access using duckdns w/ these instructions: Remote access for Home Assistant (DuckDNS/HA Cloud) - YouTube

Today, I Had home assistant go haywire w/locks, garage doors and lights randomly changing states today. Worried i might be hacked.

i set up 2 point verification, 3 login attempt threshold for ip ban when i set up remote access.

I’ve disabled remote access, but had a few questions.

1. Is there a way to see who accessed my home assistant today via logs
2. using the video above, i used a duck dns certificate and currently have this error under network: You have configured an HTTPS certificate in Home Assistant. This means that your internal URL needs to be set to a domain covered by the certficate.

• if i delete this bit in my config.yaml file, will this error go away : http:

ssl_certificate: /ssl/fullchain.pem

ssl_key: /ssl/privkey.pem

ip_ban_enabled: true

login_attempts_threshold: 3

3. I switched over to nabu casa right now so i can keep remote access/google assistant integration, but says that i can’t use google assistant bc of the certificate. Again, would deleting the lines in config.yaml, fix this?

Hope i didn’t mess things up too badly. Any and all help is appreciated.

Thanks for the reply.

i followed your instructions and now running through nabu casa. Was pretty smooth sailing w/no issues until about 1 hr ago.

similar event happened today. Lights switching on and off, front door unlocked and locked again and garage doors as well. here’s a screengrab of most recent logbook. What do you think i should do at this point.

My wife and I are using the same nabu casa login via our smartphones, but nobody else has this access as far as i know.

the locks and garage doors are tied to automations, but the lights are not.

never had an issue like this before.

[Album] imgur.com

i have a secrets folder in file editor, but no duckdns info there.

here is my config.yaml

Configure a default setup of Home Assistant (frontend, api, etc)

default_config:

Text to speech

tts:

• platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

homeassistant:
auth_mfa_modules:
- type: totp

http:
ip_ban_enabled: true
login_attempts_threshold: 3

i’ve deleted my duckdns domain and when i type that url in, it won’t login. i’m now only using http locally and the nabu cass url. locally, my browser says that it is not secured.

Any further recs? Change my home assistant password again? Fresh install?

Well if you’re no longer connected directly to the internet… Make sure you’ve unforwarded your router ports.

Btw, you’re assuming (if it was someone connecting to your instance) that they came through the internet. Maybe your neighbor’s kid has your wifi password (but they would also need your HA password which is pretty easy to obtain on a non-ssl connection.

It’s fairly annoying that you can’t see something as simple as ‘current logins’ and ‘login history’ in home assistant.

Yeah, double checked today and ports still closed. Only remote access is through nabu casa right now supposedly. But I’ve got 2fa setup too so local neighborhood kid seems less likely.

I see all actions are done by ‘Omar’

Since you have use 2fa, my guess this is someone on your local network…

1 - change password for Omar
2 - Do not allow passwordless logon for trusted networks
and that should solve it…

Yeah. That’s me. My wife and I use it but we just use my login for both phones. I changed the password on nabu casa and within HA.

How do you remove password less login in HA?

i was referring to TRUSTED NETWORKS

The Trusted Networks auth provider defines a range of IP addresses for which no authentication will be required (also known as “allowlisting”). For example, you can allowlist your local network so you won’t be prompted for a password if you access Home Assistant from inside your home.

When you log in from one of these networks, you will be asked which user account to use and won’t need to enter a password.

The multi-factor authentication modulewill not participate in the login process if you are using this auth provider

Here is an example in configuration.yaml to set up Trusted Networks:

homeassistant:
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 192.168.0.0/24

Btw, you should also change your wifi password….

Click on your name and scroll down to refresh tokens.

Great. Just changed my wifi password. I’ll reexamine my instance tonight.

Would really like to avoid deleting my unRAID HA VM.

That’s helpful although that’s not history. Just the last connection. But helpful none-the-less. thanks.

I know.
But given that the user is new and has a new password then the list should be small.
If you log out as many devices as possible then you might be able to see if there is someone else there.

Option 2 would make it impossible to use androids home control and Google Assistant integration, correct?

I would say incorrect.
I don’t use password less login and it still works fine for me.

No, it just requires a user AND password…

On trusted networks users can logon without using a password, but you can force to use a password internally as well.

My phone app also works ‘outside’ my trusted network

So the recommendation then would be to include only the IP for my PC, my phone and my wife’s phone in the config.yaml file?

Why have passwordless login at all?
In my opinion, you clearly have an issue so try and stop the issue first then see what can be done to make life easier.

no need on your phone, it is a one time password (your phone remembers it)

So, since I don’t have anything like this in my config file, this wouldn’t be an issue, if I’m understanding you right.