My personal openHAB server infrastructure hacked

Setup, Configuration and Use Installation
19

Some questions and advice.

  • Can you tell which machine(s) are infected?

  • Search the IP addresses for both incoming and outgoing connections that the mysterious malware is making. At least one of those will be to a control server and if this is a known malware there might be something published about identifying and cleaning the malware from your machine associated with one of those IP addresses. Also check your DNS requests from this machine. You may need to set up WireShark on another machine to capture all the packets coming out of the compromised machine.

  • What kind of authentication did you have set up for your SSH server?

  • What kind of authentication did you have set up for your OH server (reverse proxy)?

:scream:

The two most common uses these days are adding a machine to a Denial of Service bot farm or crypto mining.

  • Someone can add a Rule through the REST API.
  • A Rule can call executeCommandLine.

You can guess the rest. It doesn’t really even matter if there are vulnerabilities in the UIs (there almost certainly are). OH is unsuitable to be put on the Internet without added encryption and authentication by design. One of it’s major use cases is itself a more than sufficient vulnerability to compromise a machine.

And this is why the openhab user needs to be a limited right user. And this is why you shouldn’t give the openhab user access to ssh to other machines or sudo permissions.

KeePass also has a plug-in that will let you put your SSH certificates into it and it acts like Pagent on a Windows machine.

Depending on how you set up your ssh access, that might actually be the more likely route of entry. I doubt that OH is popular enough yet to be worth building an automated tool to look for and compromise machines. Though that is always a possibility, and there might be some vulnerability with Jetty that could have been attacked without the attacker ever knowing or caring that they were attacking openHAB.

  • Did you have certificate only logins or did you allow paswords? Bonus if you have a password on the certificate.
  • You already posted that you are using a non-standard port which is good.
  • Fail2Ban?

For those looking to expose OH to the internet, just don’t do it. If you can’t or won’t use myopenhab.org, rent a virtual server somewhere and host your own instance of the Cloud Server. At a minimum, if you know how to monitor it for compromise, use a reverse proxy.

For those looking to use SSH:

  • Configure it to only allow logins using certificates, preferably put a password on your certificate. No password logins allowed.
  • Use a non-standard port which will avoid a lot of the automated dumb attacks
  • Set up Fail2Ban
  • Consider setting up a remote SSH proxy. How to access a Linux server behind NAT via reverse SSH tunnel

Also consider other options like VPN and remote management proxies like https://www.pitunnel.com/. Anything you can do to avoid opening a port in your firewall the better off you will be.

4 Likes