Sharing a bit of a lessons learned. I test what my external web profile looks like somewhat regularly to ensure I haven’t made any stupid mistakes and opened my self up.
Running a few of my regular searches on Shodan and to my surprise I showed up. Even though I have ports open, they are limited to IP address that I specify. Generally, this means that scanners like Shodan do not see anything active on the open ports as they are not one of the specified IPs.
However, I made a change last week (and only for the week while I was out of town) which opened me up. There is a bug (at least I think its a bug) in my firewall firmware that causes the issue, I knew of the issue but didn’t think about it surfacing in this fashion.
Just a heads up to be testing your security regularly. You may have made a change that impacts your security in ways you didn’t realize.
Since I have gotten questions on what I do to check after these types of posts, here is what I check. I would be interested in seeing what others do also.
-
From an public computer try accessing your instance from a browser, see what happens, see what the response looks like. Test your passwords (if it connects) and confirm you are getting a failed login notification. If you have a limit on incorrect passwords, confirm you get locked out after the limit.
-
Perodic checks on Shodan. Check for your domain, IP and look for results under home assistant, homeassistant or any other key words you can think of to see if you show up. Note that this can lag a bit as Shodan has to scan your IP which may not be very frequent.
https://www.shodan.io/ -
Run the scans on GRC’s Sheilds Up.
https://www.grc.com/shieldsup -
From a public IP (this can’t be done inside your network use a Coffee Shop, Public Wifi etc.) run a scan with Nmap.
https://nmap.org/
There are phone based apps that can do some of these scans also, however, I have gotten some false positives when on a LTE connection due to the way the connection is made. This seems to be the case for others to with the ports that were showing open.