jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-07 17:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
home-assistant.io/source/_docs/security/porosity.markdown
h4ckNinja bc3da90247 Minor typo fix (#10255)
2019-08-30 09:49:23 +02:00

190 lines
7.4 KiB
Markdown
Raw Blame History

---
title: "Home Assistant/Hass.io porosity"
description: "Use nmap to scan your Home Assistant instance."
---
As a large amount of users are running [Hass.io](/hassio/), here we are using a Raspberry Pi 3 B and Hass.io 0.70.0 to show how Home Assistant looks from the network side. This is not a full blown investigation, just a quick overview.
The IP address of the Home Assistant machine is 192.168.0.215. The system which is the source of the scans is a machine running Fedora 27 and Nmap 7.60 is used to perform the port scans. Both systems are in the same network.
## SSH server Add-on
To get access to Hass.io in secure way, SSH is provided by the [SSH server add-on](/addons/ssh/).
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:08 CEST
Nmap scan report for 192.168.0.215
Host is up, received arp-response (0.00051s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 e3:a2:2d:20:3a:67:68:b9:b1:9e:16:fa:48:80:82:96 (RSA)
| 256 92:f0:f4:be:4f:44:60:0e:c4:92:8a:cb:34:9e:c5:c2 (ECDSA)
|_ 256 09:da:a2:14:cd:c4:69:e9:13:e6:70:64:98:d0:55:0c (EdDSA)
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.51 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 726.23 seconds
```
That port 22 and 8123 are open was expected. On port 22222 is an additional SSH server running. This port is for [debugging](https://developers.home-assistant.io/docs/en/hassio_debugging.html) and supports only a login with a key. This means that you would need to remove the SD card from your Raspberry Pi, create an `authorized_keys` with your SSH public key in it and put the SD Card back in your Pi to get access.
## Mosquitto MQTT broker Add-on
While setting up the [Mosquitto MQTT broker add-on](/addons/mosquitto/) no settings very modified, the add-on was running with the default settings.
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 15:52 CEST
Nmap scan report for 192.168.0.215
Host is up, received arp-response (0.0011s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
1883/tcp open mosquitto version 1.4.12 syn-ack ttl 63
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/connections/5min: 0.39
[...]
| $SYS/broker/load/connections/15min: 0.13
|_ $SYS/broker/clients/total: 2
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 223.76 seconds
```
To secure MQTT to consider to use certificates and to specify users with password under `logins:` at least. Use port 1883 only in your local network.
## Samba Add-on
The [Samba add-on](/addons/samba/) enables one to use a Windows system to access the configuration and other shares. Per default there is no user set. To increase your local security we strongly suggest that you set a username and a password and don't allow guests. A sample configuration could look like the one below.
A port scan for Hass.io with this add-on will give you the details.
```bash
$ sudo nmap -A -n --reason -Pn -T5 -p1-65535 192.168.0.215
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-29 16:29 CEST
Host is up, received arp-response (0.00045s latency).
Not shown: 65523 closed ports
Reason: 65523 resets
PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.7.3 (workgroup: WORKGROUP)
8123/tcp open http syn-ack ttl 64 aiohttp 3.1.3 (Python 3.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Python/3.6 aiohttp/3.1.3
|_http-title: Home Assistant
22222/tcp open ssh syn-ack ttl 64 Dropbear sshd 2016.74 (protocol 2.0)
MAC Address: B8:41:CD:4B:7A:5D (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Host: HASSIO; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: HASSIO, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.3)
| Computer name: \x00
| NetBIOS computer name: HASSIO\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2018-05-29T16:41:05+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-29 16:41:05
|_ start_date: 1601-01-01 00:53:28
TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.0.215
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 727.43 seconds
```
139 and 445 are open and it's possible to enumerate the shares. With different tools you will get pretty much the same information.
```bash
$ smbclient -L //192.168.0.215 -U%
Sharename Type Comment
--------- ---- -------
config Disk
addons Disk
share Disk
backup Disk
IPC$ IPC
IPC Service (Samba Home Assistant config share)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP HASSIO
```
But without username and password you can't get access to the configuration file with the settings shown here.
```json
[...]
"guest": false,
"username": "homeassistant",
"password": "homeassistant",
"interface": "eth0"
}
```
Reference in New Issue View Git Blame Copy Permalink