3d ago

Is it normal to not have any malicious login attempts?

cross-posted from: https://reddthat.com/post/39309359

I've been running Home Assistant for three years. It's port forwarded on default port 8123 via a reverse proxy in a dedicated VM serving it over HTTPS and is accessible over ipv4 and ipv6. All user accounts have MFA enabled.
I see a notification every time there's a failed login attempt, but every single one is either me or someone in my house. I've never seen a notification for any other attempts from the internet. Not a single one.
Is this normal? Or am I missing something? I expected it to be hammered with random failed logins.

25 comments

Yes, it's normal.
If you look at the logs, the bots are probably all trying to exploit some Webpress vulnerability or trying random passwords in /login.php.

Probably simply not a lucrative target for automated scanning/attacks, unlike e.g. ssh.
Edit: or WordPress. My logs are full of those, until Crowdsec hits.

Yes. The fearmongering of the security freaks is not necessarily true. We selfhosters are not big targets and nobody cares about our files or our devices.
Of course, until you get hacked.
But beside SMTP and ssh and known services like WordPress or PrestaShop there is little actual brute force bots trying hard.
- Agreed. The nonstandard port helps too. Most script kiddies aren't going to know your service even exists.
  Take it another step further and remove the default backend on your reverse proxy so that requests to anything but the correct DNS name are dropped (bots just are probing IPs) and you basically don't have to worry at all. Just make sure to keep your reverse proxy up to date.
  The reverse proxy ends up enabling security through obscurity, which shouldn't be your only line of defence, but it is an effective first line of defence especially for anyone who isn't a target of foreign government level of attacks.
  Adding basic auth to your reverse proxy endpoints extends that a whole lot further. Form based logins on your apps might be a lot prettier, but it's a lot harder to probe for what's running behind your proxy when every single URI just returns 401. I trust my reverse proxy doing basic auth a lot more than I trust some php login form.
  I always see posters on Lemmy about setting up elaborate VPN setups for as the only way to access internal services, but it seems like awful overkill to me.
  VPN still needed for some things that are inherently insecure or just should never be exposed to the outside, but if it is a web service with authentication required a reverse proxy is plenty of security for a home lab.
  
  100% agree.
  One point: use an SSO like authelia or authentic. Way better than basic auth and you get the fancy login form too preserving all the benefits, and you can also use OIDC with those services that require more complex setup for proper auth
- I had three thoughts in rapid succession.
  that's a dangerous line of thinking
  I wonder who these security freaks are
  looks at honeypot Oh no IM the security freak.
  That being said fearmongering is bad. Give people actual facts and let them decide for themselves.
  
  LOL you madre me laugh...
  Anyway being security conscious is important, and better be safe than sorry...

.... that you know of.
I have crowdsec running on my caddy reverse proxy for my home server and it's logging and blocking at least 10-20 hostile IP addresses trying to do port scans/other automated script hacks every day.
- "The difference between attack and defense, is that you know your attacks are failing" -someone at a CCC.

If you have reverse proxy are you checking that set of logs or just the HA logs?
- This way my thought, I highly doubt they are getting none, just not looking at the proxy logs.

Doubt it, there are bots everywhere these days who'll try anything they find. Its part of why having 2FA is important along with hidden accounts with things such as jellyfin.
- It's possible to stream from jellyfin without an account. Jellyfin should not be connected to untrusted networks, like the internet. Several API just don't check the key or don't require one in the first place.
  https://github.com/jellyfin/jellyfin/issues/5415
  
  Oof, ty for that ill get to remedying it. Really wish the jellyfin project took security a bit more seriously
  
  Do you know if having authelia as middleware for jellyfin solves this issue?

I'd assume you are missing a log source.

On my Synology NAS, I have it set to auto-block IPs after a few failed attempts. Some days, I'll have like 50 of those come through at a time (all random addresses from random countries). Other weeks or months can go by without a single one.
So, I think it's one of those "matter of time" deals, so as long as you are properly locked down, it should be viewed as normal.
- @Showroom7561 You are referring to incoming IPs? I get around 50 to 100 per day as well. Easily blocked. My bigger concern is outgoing connections by home automation devices on my network. I have over 200 lights, switches, and sensors of various brands, most of which try to “phone home” anywhere from daily to every few seconds. They are reporting (something) to data aggregation businesses that presumably are selling. Blocking some devices from Internet access (e.g., my Leviton light switches) causes the device to fail! Yet another case of companies stealing our personal data.
  
  Yes, incoming.
  Outgoing is another can of worms.
  I try to run any of my iot devices on an isolated network. At most, they can see eachother, and that's it.
  Some devices need an internet connection, unfortunately.
  The best you can do, if you're unable to block their collection outright, is to run them through a tracker-blocking DNS (either self-hosted or something like Adguard DNS).
  That can minimize unnecessary pings home.
  Personally, if I think that a device is being malicious in their attempts to phone home, I stop using the device. I also try to make an effort to not get a smart device, if the alternative (unconnected option) works fine.
  Digital minimalism is one way to protect ourselves from rampant data collection and profiling.

Might need more info about your setup. The reverse proxy probably has some logs you aren't looking at. Most bots from what I've seen do ip:port scans hitting every ip and every port. Nginx reverse proxy manager or something similar isn't going to forward ip:8123 to home assistant. A straight router port forward will, but the reverse proxy manager will look at the domain GET request for https://ha.hit_the_rails.net to your LAN ip:port. It's a little security through obscurity as they have to know your sub+domain.
For a time I had port 22 open and forwarded directly to a server. Constant bot traffic. Changed the port, put an ssh honeypot on 22, and it almost completely went away. Sure the bots could be smart enough to scan and find another open ssh port, but they rarely did. I assume because anyone savvy enough to change the ssh port is savvy enough to not allow default logins like ubnt:ubnt and root:1234 which were by far the most common logins I got in the honeypot.

How do you connect? Is there a domain? Is that domain used for email or any other way that it might circulate?
Also, depends on if the IP address was used for something in the past that was useful to target or not. And finally do you use that IP address outbound a lot, like do you connect to a lot of other services, websites, etc. And finally, does your ISP have geolocation blocks or other filters in place?
It's rare for a process to just scan through all possible IP addresses to find a vulnerable service, there are billions and that would take a very long time. Usually, they use lists of known targets or scan through the addresses owned by certain ISPs. So if you don't have a domain, or that domain is not used for anything else, and you IP address has never gotten on a list in the past, then it's less likely you'll get targeted. But that's no reason to lower your guard. Security through obscurity is only a contributory strategy. Once that obscurity is broken, you're a prime target if anything is vulnerable. New targets get the most attention as they often fix their vulnerabilities once discovered so it has to be used fast, but tend to be the easiest to get lots of goodies out of. Like the person who lives on a side street during trick-or-treat that gives out handfuls of candy to get rid of it fast enough. Once the kids find out, they swarm. Lol

I don't think there are people attempting to log into HA, because it has zero value to them. HA would log failed login attempts but not bots trying other stuff. When I look into my web statistics for my rented server for march with 404 errors, I got over 750 and they try to access wordpress, find old (and probably not updated) stuff and some config files, like .env files. This kinda makes sense and probably would find everybody in their access logs. Its just automated stuff and they probably run auto exploits. Wordpress sites are interesting and its worth just getting access to a kinda serious email sender or just other stuff. My ssh blocklist currently has 14000 banned IPs. Might not sure how I set it up, but it looks I picked 1 year ban time.
If you know where to look, you would see bots trying to enter your system but you would see they aim big, not small. HA is small. Sure if HA has a serious hole, you would get attacks from pranksters. Still is always a good idea to have proper security procedures for all of your accounts and servers. Most interesting are targets where they could find value within these services or using the hardware but there are always people who just want to mess with someone. There are for example people who search the internet for Minecraft servers, that they can grieve the shit out of it. Doesn't matter if its a big professional server or just a server from 2 kiddos, that play together after school.

I would find it odd. I am always shocked when I look up an ip at AbuseIPDB and find it has no history. Bots scan everything, even the most innocuous ioT devices.

25 comments