cross-posted from: https://reddthat.com/post/39309359
I’ve been running Home Assistant for three years. It’s port forwarded on default port 8123 via a reverse proxy in a dedicated VM serving it over HTTPS and is accessible over ipv4 and ipv6. All user accounts have MFA enabled.
I see a notification every time there’s a failed login attempt, but every single one is either me or someone in my house. I’ve never seen a notification for any other attempts from the internet. Not a single one.
Is this normal? Or am I missing something? I expected it to be hammered with random failed logins.
Yes, it’s normal.
If you look at the logs, the bots are probably all trying to exploit some Webpress vulnerability or trying random passwords in /login.php.
Probably simply not a lucrative target for automated scanning/attacks, unlike e.g. ssh.
Edit: or WordPress. My logs are full of those, until Crowdsec hits.
Check the web server access logs. I’m sure you’ll see exploit attempts, but for software you’re not running. WordPress is what I see most often. Those probably won’t generate emails.
What is it about Wordpress? I’ve never used it, but it seems that every other day there is a new Wordpress exploit, and that’s been going on for years.
I think of it like Bethesda games.
It’s passable for what you want, but the real value is the plugins that can fix what problems you have.
But all those plugins also have security vulnerabilities that need to be managed.
Just don’t look behind the curtain to see what the CEO is up to.
Just don’t look behind the curtain to see what the CEO is up to.
Had to go look it up. What a cluster. Anyways, I don’t blog mainly because I don’t have anything to say that people would be interested in. Maybe farming. LOL I’ve just wondered down through the years why someone didn’t fix all the attack surfaces Wordpress seems to have. Plus it drives a substantial share of websites, so I guess it’s a good target to go after.
Incredible yet accurate analogy
… that you know of.
I have crowdsec running on my caddy reverse proxy for my home server and it’s logging and blocking at least 10-20 hostile IP addresses trying to do port scans/other automated script hacks every day.
If you have reverse proxy are you checking that set of logs or just the HA logs?
This way my thought, I highly doubt they are getting none, just not looking at the proxy logs.
I’d assume you are missing a log source.
Doubt it, there are bots everywhere these days who’ll try anything they find. Its part of why having 2FA is important along with hidden accounts with things such as jellyfin.
It’s possible to stream from jellyfin without an account. Jellyfin should not be connected to untrusted networks, like the internet. Several API just don’t check the key or don’t require one in the first place.
Oof, ty for that ill get to remedying it. Really wish the jellyfin project took security a bit more seriously
Iirc Jellyfin isn’t exactly intended to be operated outside of your home network like Plex is. There are workarounds of course, but the onus is on the user to secure it.
Do you know if having authelia as middleware for jellyfin solves this issue?
I don’t think there are people attempting to log into HA, because it has zero value to them. HA would log failed login attempts but not bots trying other stuff. When I look into my web statistics for my rented server for march with 404 errors, I got over 750 and they try to access wordpress, find old (and probably not updated) stuff and some config files, like .env files. This kinda makes sense and probably would find everybody in their access logs. Its just automated stuff and they probably run auto exploits. Wordpress sites are interesting and its worth just getting access to a kinda serious email sender or just other stuff. My ssh blocklist currently has 14000 banned IPs. Might not sure how I set it up, but it looks I picked 1 year ban time.
If you know where to look, you would see bots trying to enter your system but you would see they aim big, not small. HA is small. Sure if HA has a serious hole, you would get attacks from pranksters. Still is always a good idea to have proper security procedures for all of your accounts and servers. Most interesting are targets where they could find value within these services or using the hardware but there are always people who just want to mess with someone. There are for example people who search the internet for Minecraft servers, that they can grieve the shit out of it. Doesn’t matter if its a big professional server or just a server from 2 kiddos, that play together after school.
On my Synology NAS, I have it set to auto-block IPs after a few failed attempts. Some days, I’ll have like 50 of those come through at a time (all random addresses from random countries). Other weeks or months can go by without a single one.
So, I think it’s one of those “matter of time” deals, so as long as you are properly locked down, it should be viewed as normal.
I would find it odd. I am always shocked when I look up an ip at AbuseIPDB and find it has no history. Bots scan everything, even the most innocuous ioT devices.
deleted by creator
