Tracking down a MAC and IP address, originating from Hassio?

homeassistlestrand · September 13, 2022, 11:16pm

Newbie here: I have an external IP address pinging my mosquitto broker integrated with Home Assistant in a Raspberry PI.

When I check the origin, it points toward ‘hassio’ but the MAC address is not recognised anywhere. What can I do next to identify and remedy the constant pinging of my mosquitto broker?

NathanCu · September 13, 2022, 11:43pm

172.30 is within the 172.16.x.x/16 private address space (meaning it’s internal) its probably the vlan used for your container installation between your various containers or addons. Look there

nickrout · September 13, 2022, 11:58pm

Are you using HAOS? You can type

ip addr|less

and get all of your addresses. The mac address is probably something made up by docker.

EDIT In fact it is the same as mine

➜  ~ arp 172.30.32.2
Address                  HWtype  HWaddress           Flags Mask            Iface
hassio                   ether   02:42:ac:1e:20:02   C                     hassio

nickrout · September 14, 2022, 12:09am

It kinda has to keep in touch with the broker

avd706 · September 14, 2022, 2:48am

I get spammed by that ip, but look at the bottom, that ip is not on my lan, and the port is not open to the internet.

nickrout · September 14, 2022, 3:07am

That last ip address is certainly not from your LAN

nick@media:~$ nslookup 64.225.14.92
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
92.14.225.64.in-addr.arpa       name = monitoring.internet-measurement.com.

NathanCu · September 14, 2022, 3:39am

Agreed. Whatever it is, it’s also managed to get it’s IP logged on a couple honeypot sites… Which means…

…if that is not your intended routing, you need to verify your router’s port forwarding and UPnP settings to see about any holes punched in sending 1883 inbound to your HA box.

Something allowed that blank user login attempt in.

nickrout · September 14, 2022, 4:30am

Back to the internal address, you can find out for sure which container it comes from with docker network

➜  ~ docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
a200b79c6ace   bridge    bridge    local
363cd2cd3d39   hassio    bridge    local
d7db0cca0ad2   host      host      local
295c24907a73   none      null      local

OK so I have 4 networks, lets start by looking at the most obvious suspect

docker network inspect hassio

oops that’s a bit long, lets try

➜  ~ docker network inspect hassio|grep 172.30.32.2 -B4 -A1
            "b91a231485ed5b3511a3f8feb3fff44b4f778073065fa6da8db0b0e68ad3676e": {
                "Name": "hassio_supervisor",
                "EndpointID": "873893c0d8670d76052f7d5d8d6cab942206fb9b59c549d9784e36f542c801b9",
                "MacAddress": "02:42:ac:1e:20:02",
                "IPv4Address": "172.30.32.2/23",
                "IPv6Address": ""

As can be seen, that address is from the supervisor container (on my system anyway.)

homeassistlestrand · September 14, 2022, 8:32am

Thank you all for the troubleshooting. Here is a lengthier explanation that hassio pings the mosquitto broker. @frenck spells out “That is the supervisor checking if the add-on is still responding as part of a health check. This is expected, not a bug and actually good.”

github.com/home-assistant/core

Unknown client connecting to MQTT broker

opened 05:32AM - 08 Jun 21 UTC

closed 07:20AM - 08 Jun 21 UTC

delta010

integration: mqtt

### The problem in my home assistant mosquito add-on, an unknown client no clie…nt id is connecting and disconnecting as a loop forever the IP address of the client looks like a docker container IP address (172.30.32.2). my network address is 192.168.0.1 , but I can't find any what container is trying to connect .pleas help me ### What is version of Home Assistant Core has the issue? core-2021.6.2 ### What was the last working version of Home Assistant Core? core-2021.4.0 ### What type of installation are you running? Home Assistant OS ### Integration causing the issue MQTT ### Link to integration documentation on our website https://www.home-assistant.io/integrations/mqtt/ ### Example YAML snippet ```yaml logins: - username: user password: 123456789 customize: active: false folder: mosquitto certfile: fullchain.pem keyfile: privkey.pem require_certificate: false ``` ### Anything in the logs that might be useful for us? ```txt 1623126169: New connection from 192.168.0.110 on port 1883. 1623126169: New client connected from 192.168.0.110 as sonofflight1 (p2, c1, k30, u'hassio'). 1623126184: New connection from 192.168.0.117 on port 1883. 1623126184: New client connected from 192.168.0.117 as keypad (p2, c1, k30, u'hassio'). 1623126204: New connection from 172.30.32.1 on port 1883. 1623126204: New client connected from 172.30.32.1 as 2he2ok6kXNV7syNo9EIH5K (p2, c1, k60, u'hassio'). 1623126373: New connection from 172.30.32.2 on port 1883. 1623126373: Socket error on client <unknown>, disconnecting. 1623126431: New connection from 172.30.33.5 on port 1883. 1623126431: New client connected from 172.30.33.5 as mqttjs_c8632349 (p2, c1, k60, u'hassio'). 1623126493: New connection from 172.30.32.2 on port 1883. 1623126493: Socket error on client <unknown>, disconnecting. 1623126613: New connection from 172.30.32.2 on port 1883. 1623126613: Socket error on client <unknown>, disconnecting. 1623126733: New connection from 172.30.32.2 on port 1883. 1623126733: Socket error on client <unknown>, disconnecting. 1623126853: New connection from 172.30.32.2 on port 1883. 1623126853: Socket error on client <unknown>, disconnecting. 1623126973: New connection from 172.30.32.2 on port 1883. 1623126973: Socket error on client <unknown>, disconnecting. 1623127093: New connection from 172.30.32.2 on port 1883. 1623127093: Socket error on client <unknown>, disconnecting. 1623127213: New connection from 172.30.32.2 on port 1883. 1623127213: Socket error on client <unknown>, disconnecting. 1623127333: New connection from 172.30.32.2 on port 1883. 1623127333: Socket error on client <unknown>, disconnecting. 1623127453: New connection from 172.30.32.2 on port 1883. 1623127453: Socket error on client <unknown>, disconnecting. 1623127573: New connection from 172.30.32.2 on port 1883. 1623127573: Socket error on client <unknown>, disconnecting. 1623127693: New connection from 172.30.32.2 on port 1883. 1623127693: Socket error on client <unknown>, disconnecting. 1623127813: New connection from 172.30.32.2 on port 1883. 1623127813: Socket error on client <unknown>, disconnecting. 1623127933: New connection from 172.30.32.2 on port 1883. 1623127933: Socket error on client <unknown>, disconnecting. 1623127960: Saving in-memory database to /data/mosquitto.db. 1623128053: New connection from 172.30.32.2 on port 1883. 1623128053: Socket error on client <unknown>, disconnecting. 1623128173: New connection from 172.30.32.2 on port 1883. 1623128173: Socket error on client <unknown>, disconnecting. 1623128293: New connection from 172.30.32.2 on port 1883. 1623128293: Socket error on client <unknown>, disconnecting. 1623128413: New connection from 172.30.32.2 on port 1883. 1623128413: Socket error on client <unknown>, disconnecting. 1623128533: New connection from 172.30.32.2 on port 1883. 1623128533: Socket error on client <unknown>, disconnecting. 1623128653: New connection from 172.30.32.2 on port 1883. 1623128653: Socket error on client <unknown>, disconnecting. 1623128773: New connection from 172.30.32.2 on port 1883. 1623128773: Socket error on client <unknown>, disconnecting. 1623128893: New connection from 172.30.32.2 on port 1883. 1623128893: Socket error on client <unknown>, disconnecting. 1623129013: New connection from 172.30.32.2 on port 1883. 1623129013: Socket error on client <unknown>, disconnecting. 1623129133: New connection from 172.30.32.2 on port 1883. 1623129133: Socket error on client <unknown>, disconnecting. 1623129253: New connection from 172.30.32.2 on port 1883. 1623129253: Socket error on client <unknown>, disconnecting. 1623129373: New connection from 172.30.32.2 on port 1883. 1623129373: Socket error on client <unknown>, disconnecting. 1623129493: New connection from 172.30.32.2 on port 1883. 1623129493: Socket error on client <unknown>, disconnecting. 1623129613: New connection from 172.30.32.2 on port 1883. 1623129613: Socket error on client <unknown>, disconnecting. 1623129733: New connection from 172.30.32.2 on port 1883. 1623129733: Socket error on client <unknown>, disconnecting. 1623129761: Saving in-memory database to /data/mosquitto.db. 1623129853: New connection from 172.30.32.2 on port 1883. 1623129853: Socket error on client <unknown>, disconnecting. 1623129973: New connection from 172.30.32.2 on port 1883. ``` ### Additional information _No response_

nickrout · September 14, 2022, 8:46pm

I would still be very worried about the connection from 64.225.14.92

PS if you want to pm me your external ip address I will check it for you. You need to trust me though (needless to say).

aceindy · September 14, 2022, 9:06pm

I’ll vouch for Nickrout, his intentions are good 🥹

avd706 · September 14, 2022, 9:14pm

Something is very wrong with my iptables.

Thanks for the offer.

nickrout · September 14, 2022, 10:32pm

No problem, and thanks for introducing me to that nice tool

Look out for upnp on you router/modem/whatever. Although most people think of upnp as a media technology, the protocol extends to allowing, on request, ports to be opened to the outside on a router. Maybe this happened here. @NathanCu mentioned this in post 7, but I thought it needed a little explanation. See (for example) here What is UPnP and why is it Dangerous?

avd706 · September 14, 2022, 11:07pm

no, it’s not UPnP, it’s worse than that: Help with iptables - HA hosted on baremetal Debian 11 homebrew router -- exposed ports

Thanks again.