mirror of
https://github.com/home-assistant/home-assistant.io.git
synced 2025-07-13 20:36:52 +00:00
Add Security section (#5459)
* Update sentence * Move fingerprint docs * Add more details * Add new section * Add content for new security section
This commit is contained in:
parent
f96a49ba26
commit
36d3f1087f
41
source/_docs/security.markdown
Normal file
41
source/_docs/security.markdown
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
layout: page
|
||||
title: "Security of Home Assistant"
|
||||
description: "Security of Home Assistant."
|
||||
date: 2017-02-13 12:50
|
||||
sidebar: true
|
||||
comments: false
|
||||
sharing: true
|
||||
footer: true
|
||||
---
|
||||
|
||||
As Home Assistant is like every other service or daemon that is running on a computer system that allows access over a network connection, certain measurement were taken to increase the overall security while still staying operational.
|
||||
|
||||
[Secure your installation](/docs/configuration/securing/) once you've finished with the installation process regardless of your use case.
|
||||
|
||||
Home Assistant is NOT able to change the configuration of your router or firewall. This means that you need to setup [port-forwarding](/docs/configuration/remote/) and adjusting firewall rules if you want to allow access from the internet. By default your frontend and your Hass.io add-ons like Mosquitto, SSH and your Samba shares are only accessible from your local network.
|
||||
|
||||
## {% linkable_title Server banner %}
|
||||
|
||||
Further [details about the fingerprint/server banner](/docs/security/webserver/) of a Home Assistant instance are available.
|
||||
|
||||
## {% linkable_title Porosity %}
|
||||
|
||||
The default port of Home Assistant is 8123. This is the port where the [`frontend`](/components/frontend/) and the [`API`](/components/api/) is served. Both are depending on the [`http`](/components/http/) component which contains the capability to adjust the settings like `server_host` or `server_port`.
|
||||
|
||||
See the [open ports](/docs/security/porosity/) of a Hass.io instance with various add-ons.
|
||||
|
||||
## {% linkable_title HTTP SSL/TLS %}
|
||||
|
||||
Home Assistant is following the [Mozilla's Operations Security team recommendations](https://wiki.mozilla.org/Security/Server_Side_TLS) for Server side SSL/TLS settings. To allow the users to access Home Assistant with most devices the target is **Intermediate compatibility**.
|
||||
|
||||
## {% linkable_title SSH %}
|
||||
|
||||
The SSH connection for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) on port 22222 is not enabled by default and can only be used with keys.
|
||||
|
||||
Is SSH used with the [SSH server add-on](/addons/ssh/) then the user is responsible for the configuration and security.
|
||||
|
||||
## {% linkable_title Source code %}
|
||||
|
||||
Due to the lack of resources we are not able to review all of our dependencies and inspect them for malicious behavior, leakage of information or compliance with GDPR. But we have a keen interest in the development of our dependencies are try to work closely with the upstream developer.
|
||||
|
195
source/_docs/security/porosity.markdown
Normal file
195
source/_docs/security/porosity.markdown
Normal file
@ -0,0 +1,195 @@
|
||||
---
|
||||
layout: page
|
||||
title: "Home Assistant/Hass.io porosity"
|
||||
description: "Use nmap to scan your Home Assistant instance."
|
||||
date: 2016-10-06 08:00
|
||||
sidebar: true
|
||||
comments: false
|
||||
sharing: true
|
||||
footer: true
|
||||
---
|
||||
|
||||
As a large amount of users are running [Hass.io](/hassio/), here we are using a Raspberry Pi 3 B and Hass.io 0.70.0 to show how Home Assistant looks from the network side. This is not a full blown investigation, just a quick overview.
|
||||
|
||||
The IP address of the Home Assistant machine is 192.168.0.215. The system which is the source of the scans is a machine running Fedora 27 and Nmap 7.60 is used to preform the port scans. Both systems are in the same network.
|
||||
|
||||
## {% linkable_title SSH server Add-on %}
|
||||
|
||||
To get access to Hass.io in secure way, SSH is provided by the [SSH server add-on](/addons/ssh/).
|
||||
|
||||
```bash
|
||||
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
|
||||
|
||||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:08 CEST
|
||||
Nmap scan report for 192.168.0.215
|
||||
Host is up, received arp-response (0.00051s latency).
|
||||
Not shown: 65532 closed ports
|
||||
Reason: 65532 resets
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 e3:a2:2d:20:3a:67:68:b9:b1:9e:16:fa:48:80:82:96 (RSA)
|
||||
| 256 92:f0:f4:be:4f:44:60:0e:c4:92:8a:cb:34:9e:c5:c2 (ECDSA)
|
||||
|_ 256 09:da:a2:14:cd:c4:69:e9:13:e6:70:64:98:d0:55:0c (EdDSA)
|
||||
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|
||||
|_http-open-proxy: Proxy might be redirecting requests
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/
|
||||
|_http-server-header: Python/3.6 aiohttp/3.1.3
|
||||
|_http-title: Home Assistant
|
||||
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
|
||||
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
|
||||
Device type: general purpose
|
||||
Running: Linux 3.X|4.X
|
||||
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
|
||||
OS details: Linux 3.2 - 4.8
|
||||
Network Distance: 1 hop
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
TRACEROUTE
|
||||
HOP RTT ADDRESS
|
||||
1 0.51 ms 192.168.0.215
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 726.23 seconds
|
||||
```
|
||||
|
||||
That port 22 and 8123 are open was expected. On port 22222 is an additional SSH server running. This port is for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) and supports only a login with a key. This means that you would need to remove the SD card from your Raspberry Pi, create an `authorized_keys` with your SSH public key in it and put the SD Card back in your Pi to get access.
|
||||
|
||||
## {% linkable_title Mosquitto MQTT broker Add-on %}
|
||||
|
||||
While setting up the [Mosquitto MQTT broker add-on](/addons/mosquitto/) no settings very modified, the add-on was running with the default settings.
|
||||
|
||||
```bash
|
||||
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
|
||||
|
||||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:52 CEST
|
||||
Nmap scan report for 192.168.0.215
|
||||
Host is up, received arp-response (0.0011s latency).
|
||||
Not shown: 65532 closed ports
|
||||
Reason: 65532 resets
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
1883/tcp open mosquitto version 1.4.12 syn-ack ttl 63
|
||||
| mqtt-subscribe:
|
||||
| Topics and their most recent payloads:
|
||||
| $SYS/broker/load/connections/5min: 0.39
|
||||
[...]
|
||||
| $SYS/broker/load/connections/15min: 0.13
|
||||
|_ $SYS/broker/clients/total: 2
|
||||
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|
||||
|_http-open-proxy: Proxy might be redirecting requests
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/
|
||||
|_http-server-header: Python/3.6 aiohttp/3.1.3
|
||||
|_http-title: Home Assistant
|
||||
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
|
||||
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
|
||||
Device type: general purpose
|
||||
Running: Linux 3.X|4.X
|
||||
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
|
||||
OS details: Linux 3.2 - 4.8
|
||||
Network Distance: 1 hop
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
TRACEROUTE
|
||||
HOP RTT ADDRESS
|
||||
1 1.13 ms 192.168.0.215
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 223.76 seconds
|
||||
```
|
||||
|
||||
To secure MQTT to consider to use certificates and to specify users with password under `logins:` at least. Use port 1883 only in your local network.
|
||||
|
||||
## {% linkable_title Samba Add-on %}
|
||||
|
||||
The [Samba add-on](/addons/samba/) enables one to use a Windows system to access the configuration and other shares. Per default there is no user set. To increase your local security we strongly suggest that you set a username and a password and don't allow guests. A sample configuration could look like the one below.
|
||||
|
||||
A port scan for Hass.io with this add-on will give you the details.
|
||||
|
||||
```bash
|
||||
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
|
||||
|
||||
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 16:29 CEST
|
||||
Host is up, received arp-response (0.00045s latency).
|
||||
Not shown: 65523 closed ports
|
||||
Reason: 65523 resets
|
||||
PORT STATE SERVICE REASON VERSION
|
||||
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||||
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.7.3 (workgroup: WORKGROUP)
|
||||
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|
||||
|_http-open-proxy: Proxy might be redirecting requests
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/
|
||||
|_http-server-header: Python/3.6 aiohttp/3.1.3
|
||||
|_http-title: Home Assistant
|
||||
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
|
||||
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
|
||||
Device type: general purpose
|
||||
Running: Linux 3.X|4.X
|
||||
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
|
||||
OS details: Linux 3.2 - 4.8
|
||||
Network Distance: 1 hop
|
||||
Service Info: Host: HASSIO; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Host script results:
|
||||
|_nbstat: NetBIOS name: HASSIO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
||||
| smb-os-discovery:
|
||||
| OS: Windows 6.1 (Samba 4.7.3)
|
||||
| Computer name: \x00
|
||||
| NetBIOS computer name: HASSIO\x00
|
||||
| Workgroup: WORKGROUP\x00
|
||||
|_ System time: 2018-05-29T16:41:05+02:00
|
||||
| smb-security-mode:
|
||||
| account_used: guest
|
||||
| authentication_level: user
|
||||
| challenge_response: supported
|
||||
|_ message_signing: disabled (dangerous, but default)
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2018-05-29 16:41:05
|
||||
|_ start_date: 1601-01-01 00:53:28
|
||||
|
||||
TRACEROUTE
|
||||
HOP RTT ADDRESS
|
||||
1 0.46 ms 192.168.0.215
|
||||
|
||||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 727.43 seconds
|
||||
```
|
||||
|
||||
139 and 445 are open and it's possible to enumerate the shares. With different tools you will get pretty much the same information.
|
||||
|
||||
```bash
|
||||
$ smbclient -L //192.168.0.215 -U%
|
||||
|
||||
Sharename Type Comment
|
||||
--------- ---- -------
|
||||
config Disk
|
||||
addons Disk
|
||||
share Disk
|
||||
backup Disk
|
||||
IPC$ IPC
|
||||
IPC Service (Samba HomeAssistant config share)
|
||||
Reconnecting with SMB1 for workgroup listing.
|
||||
|
||||
Server Comment
|
||||
--------- -------
|
||||
|
||||
Workgroup Master
|
||||
--------- -------
|
||||
WORKGROUP HASSIO
|
||||
```
|
||||
|
||||
But without username and password you can't get access to the configuration file with the settings shown here.
|
||||
|
||||
```json
|
||||
[...]
|
||||
"guest": false,
|
||||
"username": "homeassistant",
|
||||
"password": "homeassistant",
|
||||
"interface": "eth0"
|
||||
}
|
||||
```
|
@ -7,7 +7,7 @@ sidebar: true
|
||||
comments: false
|
||||
sharing: true
|
||||
footer: true
|
||||
redirect_from: /details/webserver/
|
||||
redirect_from: /docs/frontend/webserver/
|
||||
---
|
||||
|
||||
It was only a matter of time until the first queries for tools like [https://www.shodan.io](https://www.shodan.io/search?query=Home+Assistant) to search for Home Assistant instances showed up.
|
||||
@ -36,6 +36,19 @@ PORT STATE SERVICE VERSION
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
|
||||
|
||||
```
|
||||
|
||||
We don't have an unique server banner but in combination with the HTML title `Home Assistant`, is it simple to identify Home Assistant instances.
|
||||
|
||||
```bash
|
||||
$ nc 192.168.0.3 8123
|
||||
GET / HTTP/1.1
|
||||
host: localhost
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: Python/3.6 aiohttp/3.1.3
|
||||
[...]
|
||||
```
|
||||
|
||||
One option to avoid this exposure is using a [reverse proxy](/docs/ecosystem/nginx/).
|
||||
|
@ -63,7 +63,6 @@
|
||||
<b>{% active_link /docs/frontend/ Frontend %}</b>
|
||||
<ul>
|
||||
<li>{% active_link /docs/frontend/mobile/ Android/iOS Homescreen %}</li>
|
||||
<li>{% active_link /docs/frontend/webserver/ Web server fingerprint %}</li>
|
||||
<li>{% active_link /docs/frontend/browsers/ Browser Compatibility List %}</li>
|
||||
</ul>
|
||||
</li>
|
||||
@ -98,6 +97,13 @@
|
||||
<li>{% active_link /docs/tools/keyring/ keyring %}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>
|
||||
<b>{% active_link /docs/security/ Security %}</b>
|
||||
<ul>
|
||||
<li>{% active_link /docs/security/webserver/ Web server fingerprint %}</li>
|
||||
<li>{% active_link /docs/security/porosity/ Porosity %}</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>
|
||||
<b>{% active_link /docs/z-wave/ Z-Wave %}</b>
|
||||
<ul>
|
||||
|
Loading…
x
Reference in New Issue
Block a user