Add Security section (#5459)

* Update sentence

* Move fingerprint docs

* Add more details

* Add new section

* Add content for new security section
This commit is contained in:
Fabian Affolter 2018-05-30 15:59:06 +02:00 committed by GitHub
parent f96a49ba26
commit 36d3f1087f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 258 additions and 3 deletions

View File

@ -0,0 +1,41 @@
---
layout: page
title: "Security of Home Assistant"
description: "Security of Home Assistant."
date: 2017-02-13 12:50
sidebar: true
comments: false
sharing: true
footer: true
---
As Home Assistant is like every other service or daemon that is running on a computer system that allows access over a network connection, certain measurement were taken to increase the overall security while still staying operational.
[Secure your installation](/docs/configuration/securing/) once you've finished with the installation process regardless of your use case.
Home Assistant is NOT able to change the configuration of your router or firewall. This means that you need to setup [port-forwarding](/docs/configuration/remote/) and adjusting firewall rules if you want to allow access from the internet. By default your frontend and your Hass.io add-ons like Mosquitto, SSH and your Samba shares are only accessible from your local network.
## {% linkable_title Server banner %}
Further [details about the fingerprint/server banner](/docs/security/webserver/) of a Home Assistant instance are available.
## {% linkable_title Porosity %}
The default port of Home Assistant is 8123. This is the port where the [`frontend`](/components/frontend/) and the [`API`](/components/api/) is served. Both are depending on the [`http`](/components/http/) component which contains the capability to adjust the settings like `server_host` or `server_port`.
See the [open ports](/docs/security/porosity/) of a Hass.io instance with various add-ons.
## {% linkable_title HTTP SSL/TLS %}
Home Assistant is following the [Mozilla's Operations Security team recommendations](https://wiki.mozilla.org/Security/Server_Side_TLS) for Server side SSL/TLS settings. To allow the users to access Home Assistant with most devices the target is **Intermediate compatibility**.
## {% linkable_title SSH %}
The SSH connection for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) on port 22222 is not enabled by default and can only be used with keys.
Is SSH used with the [SSH server add-on](/addons/ssh/) then the user is responsible for the configuration and security.
## {% linkable_title Source code %}
Due to the lack of resources we are not able to review all of our dependencies and inspect them for malicious behavior, leakage of information or compliance with GDPR. But we have a keen interest in the development of our dependencies are try to work closely with the upstream developer.

View File

@ -0,0 +1,195 @@
---
layout: page
title: "Home Assistant/Hass.io porosity"
description: "Use nmap to scan your Home Assistant instance."
date: 2016-10-06 08:00
sidebar: true
comments: false
sharing: true
footer: true
---
As a large amount of users are running [Hass.io](/hassio/), here we are using a Raspberry Pi 3 B and Hass.io 0.70.0 to show how Home Assistant looks from the network side. This is not a full blown investigation, just a quick overview.
The IP address of the Home Assistant machine is 192.168.0.215. The system which is the source of the scans is a machine running Fedora 27 and Nmap 7.60 is used to preform the port scans. Both systems are in the same network.
## {% linkable_title SSH server Add-on %}
To get access to Hass.io in secure way, SSH is provided by the [SSH server add-on](/addons/ssh/).
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:08 CEST
Nmap scan report for 192.168.0.215
Host is up, received arp-response (0.00051s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 e3:a2:2d:20:3a:67:68:b9:b1:9e:16:fa:48:80:82:96 (RSA)
| 256 92:f0:f4:be:4f:44:60:0e:c4:92:8a:cb:34:9e:c5:c2 (ECDSA)
|_ 256 09:da:a2:14:cd:c4:69:e9:13:e6:70:64:98:d0:55:0c (EdDSA)
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.51 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 726.23 seconds
```
That port 22 and 8123 are open was expected. On port 22222 is an additional SSH server running. This port is for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) and supports only a login with a key. This means that you would need to remove the SD card from your Raspberry Pi, create an `authorized_keys` with your SSH public key in it and put the SD Card back in your Pi to get access.
## {% linkable_title Mosquitto MQTT broker Add-on %}
While setting up the [Mosquitto MQTT broker add-on](/addons/mosquitto/) no settings very modified, the add-on was running with the default settings.
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:52 CEST
Nmap scan report for 192.168.0.215
Host is up, received arp-response (0.0011s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
1883/tcp open mosquitto version 1.4.12 syn-ack ttl 63
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/connections/5min: 0.39
[...]
| $SYS/broker/load/connections/15min: 0.13
|_ $SYS/broker/clients/total: 2
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 223.76 seconds
```
To secure MQTT to consider to use certificates and to specify users with password under `logins:` at least. Use port 1883 only in your local network.
## {% linkable_title Samba Add-on %}
The [Samba add-on](/addons/samba/) enables one to use a Windows system to access the configuration and other shares. Per default there is no user set. To increase your local security we strongly suggest that you set a username and a password and don't allow guests. A sample configuration could look like the one below.
A port scan for Hass.io with this add-on will give you the details.
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 16:29 CEST
Host is up, received arp-response (0.00045s latency).
Not shown: 65523 closed ports
Reason: 65523 resets
PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.7.3 (workgroup: WORKGROUP)
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Host: HASSIO; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: HASSIO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.3)
| Computer name: \x00
| NetBIOS computer name: HASSIO\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-05-29T16:41:05+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-29 16:41:05
|_ start_date: 1601-01-01 00:53:28
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 727.43 seconds
```
139 and 445 are open and it's possible to enumerate the shares. With different tools you will get pretty much the same information.
```bash
$ smbclient -L //192.168.0.215 -U%
Sharename Type Comment
--------- ---- -------
config Disk
addons Disk
share Disk
backup Disk
IPC$ IPC
IPC Service (Samba HomeAssistant config share)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP HASSIO
```
But without username and password you can't get access to the configuration file with the settings shown here.
```json
[...]
"guest": false,
"username": "homeassistant",
"password": "homeassistant",
"interface": "eth0"
}
```

View File

@ -7,7 +7,7 @@ sidebar: true
comments: false
sharing: true
footer: true
redirect_from: /details/webserver/
redirect_from: /docs/frontend/webserver/
---
It was only a matter of time until the first queries for tools like [https://www.shodan.io](https://www.shodan.io/search?query=Home+Assistant) to search for Home Assistant instances showed up.
@ -36,6 +36,19 @@ PORT STATE SERVICE VERSION
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
```
We don't have an unique server banner but in combination with the HTML title `Home Assistant`, is it simple to identify Home Assistant instances.
```bash
$ nc 192.168.0.3 8123
GET / HTTP/1.1
host: localhost
HTTP/1.1 200 OK
Server: Python/3.6 aiohttp/3.1.3
[...]
```
One option to avoid this exposure is using a [reverse proxy](/docs/ecosystem/nginx/).

View File

@ -63,7 +63,6 @@
<b>{% active_link /docs/frontend/ Frontend %}</b>
<ul>
<li>{% active_link /docs/frontend/mobile/ Android/iOS Homescreen %}</li>
<li>{% active_link /docs/frontend/webserver/ Web server fingerprint %}</li>
<li>{% active_link /docs/frontend/browsers/ Browser Compatibility List %}</li>
</ul>
</li>
@ -98,6 +97,13 @@
<li>{% active_link /docs/tools/keyring/ keyring %}</li>
</ul>
</li>
<li>
<b>{% active_link /docs/security/ Security %}</b>
<ul>
<li>{% active_link /docs/security/webserver/ Web server fingerprint %}</li>
<li>{% active_link /docs/security/porosity/ Porosity %}</li>
</ul>
</li>
<li>
<b>{% active_link /docs/z-wave/ Z-Wave %}</b>
<ul>