cross-posted from: https://reddthat.com/post/39309359
I’ve been running Home Assistant for three years. It’s port forwarded on default port 8123 via a reverse proxy in a dedicated VM serving it over HTTPS and is accessible over ipv4 and ipv6. All user accounts have MFA enabled.
I see a notification every time there’s a failed login attempt, but every single one is either me or someone in my house. I’ve never seen a notification for any other attempts from the internet. Not a single one.
Is this normal? Or am I missing something? I expected it to be hammered with random failed logins.
Might need more info about your setup. The reverse proxy probably has some logs you aren’t looking at. Most bots from what I’ve seen do ip:port scans hitting every ip and every port. Nginx reverse proxy manager or something similar isn’t going to forward ip:8123 to home assistant. A straight router port forward will, but the reverse proxy manager will look at the domain GET request for https://ha.hit_the_rails.net to your LAN ip:port. It’s a little security through obscurity as they have to know your sub+domain.
For a time I had port 22 open and forwarded directly to a server. Constant bot traffic. Changed the port, put an ssh honeypot on 22, and it almost completely went away. Sure the bots could be smart enough to scan and find another open ssh port, but they rarely did. I assume because anyone savvy enough to change the ssh port is savvy enough to not allow default logins like ubnt:ubnt and root:1234 which were by far the most common logins I got in the honeypot.
Yes. The fearmongering of the security freaks is not necessarily true. We selfhosters are not big targets and nobody cares about our files or our devices.
Of course, until you get hacked.
But beside SMTP and ssh and known services like WordPress or PrestaShop there is little actual brute force bots trying hard.
Agreed. The nonstandard port helps too. Most script kiddies aren’t going to know your service even exists.
Take it another step further and remove the default backend on your reverse proxy so that requests to anything but the correct DNS name are dropped (bots just are probing IPs) and you basically don’t have to worry at all. Just make sure to keep your reverse proxy up to date.
The reverse proxy ends up enabling security through obscurity, which shouldn’t be your only line of defence, but it is an effective first line of defence especially for anyone who isn’t a target of foreign government level of attacks.
Adding basic auth to your reverse proxy endpoints extends that a whole lot further. Form based logins on your apps might be a lot prettier, but it’s a lot harder to probe for what’s running behind your proxy when every single URI just returns 401. I trust my reverse proxy doing basic auth a lot more than I trust some php login form.
I always see posters on Lemmy about setting up elaborate VPN setups for as the only way to access internal services, but it seems like awful overkill to me.
VPN still needed for some things that are inherently insecure or just should never be exposed to the outside, but if it is a web service with authentication required a reverse proxy is plenty of security for a home lab.
I had three thoughts in rapid succession.
- that’s a dangerous line of thinking
- I wonder who these security freaks are
- looks at honeypot Oh no IM the security freak.
That being said fearmongering is bad. Give people actual facts and let them decide for themselves.
LOL you madre me laugh…
Anyway being security conscious is important, and better be safe than sorry…
Check the web server access logs. I’m sure you’ll see exploit attempts, but for software you’re not running. WordPress is what I see most often. Those probably won’t generate emails.
Yeah, literally all of mine these days are trying to go to /wp_admin.php and /phpmyadmin.
Side note: this made me think, “I wonder how the phpMyAdmin project is doing these days,” and wow, all of their corporate sponsors are online vape shops and places to buy fake social media followers. (https://www.phpmyadmin.net/) What the heck is going on there? I know that funding open source projects is almost impossible, so I understand taking whatever money you can get. But it looks pretty bad when phpMyAdmin is a huge target for bots trying to steal your database, and then the entire project seems to be sponsored by companies that need emails and passwords to create fake social media activity.
… that you know of.
I have crowdsec running on my caddy reverse proxy for my home server and it’s logging and blocking at least 10-20 hostile IP addresses trying to do port scans/other automated script hacks every day.
“The difference between attack and defense, is that you know your attacks are failing” -someone at a CCC.
Yes, it’s normal.
If you look at the logs, the bots are probably all trying to exploit some Webpress vulnerability or trying random passwords in /login.php.
If you have reverse proxy are you checking that set of logs or just the HA logs?
This way my thought, I highly doubt they are getting none, just not looking at the proxy logs.
I don’t think there are people attempting to log into HA, because it has zero value to them. HA would log failed login attempts but not bots trying other stuff. When I look into my web statistics for my rented server for march with 404 errors, I got over 750 and they try to access wordpress, find old (and probably not updated) stuff and some config files, like .env files. This kinda makes sense and probably would find everybody in their access logs. Its just automated stuff and they probably run auto exploits. Wordpress sites are interesting and its worth just getting access to a kinda serious email sender or just other stuff. My ssh blocklist currently has 14000 banned IPs. Might not sure how I set it up, but it looks I picked 1 year ban time.
If you know where to look, you would see bots trying to enter your system but you would see they aim big, not small. HA is small. Sure if HA has a serious hole, you would get attacks from pranksters. Still is always a good idea to have proper security procedures for all of your accounts and servers. Most interesting are targets where they could find value within these services or using the hardware but there are always people who just want to mess with someone. There are for example people who search the internet for Minecraft servers, that they can grieve the shit out of it. Doesn’t matter if its a big professional server or just a server from 2 kiddos, that play together after school.
Doubt it, there are bots everywhere these days who’ll try anything they find. Its part of why having 2FA is important along with hidden accounts with things such as jellyfin.
It’s possible to stream from jellyfin without an account. Jellyfin should not be connected to untrusted networks, like the internet. Several API just don’t check the key or don’t require one in the first place.
Oof, ty for that ill get to remedying it. Really wish the jellyfin project took security a bit more seriously
Iirc Jellyfin isn’t exactly intended to be operated outside of your home network like Plex is. There are workarounds of course, but the onus is on the user to secure it.
